Sentrion Overview Sentrion Platform Sentrion REAC Sentrion Mimecast Hard Appliances Virtual Appliances
Overview Policy Compliance Secure Content Filtering Cloud Partner Enterprise Community
Overview Download Security Support News Documentation Tips & Tricks DKIM FAQ Misc Milters
Overview Directory Synchronization Messaging Architecture Review High Volume Mail HIPAA Policy QUICKStart Implementation Performance Tuning Training Services Overview Message Routing and
Configuration Message Policy
Management Connection Control /
Attack Prevention Directory Configuration
and Management
Overview Sendmail Partners Milter Community Industry Organizations System Integrators & Distributors
Overview Silver Support Gold Support Platinum Support Open Source Support Security Advisories Contact Support
Overview Customers Events Press Room Board & Investors Management Careers Contact Us
Overview Ask the Experts Security Chalk Talks Collateral Product Reviews & Awards IP Reputation Check Real-time Outbreak Monitor
Sendmail Inc.

HOME | CUSTOMER LOGIN
Follow Sendmail on Twitter
The Sendmail Blog
Sentrion Message Processors
Sentrion Application Store
Services
Partners
Support
Company
Resources
Open Source
 
    Support
  • Overview
  • Silver Support
  • Gold Support
  • Platinum Support
  • Open Source Support
  • Security Advisories
  • Contact Support
  • Blog
  • Sentrion Application Store
  • Schedule a Messaging Architecture Review
  • Ask The Experts!
  • Resources
  • See what we do in this short video and learn how Sentrion simplifies business email complexity!

“Organizations often have complex internal routing requirements necessitating an internal e-mail backbone.”

— Gartner Group

Email is a Commodity and other Fairy Tales
Matthew Cain, 2011
Sendmail-SN-201101-01                                           Security Note
                                                                Sendmail, Inc.

Topic: OpenSSL Security Advisories Impact on Sentrion MP

Announced: 2011-01-05

Sendmail, Inc. Security Notes and Security Advisories are available at http://www.sendmail.com/sm/security/.

I. Security Note

OpenSSL released two advisories recently, both of which have a potential impact on the Sentrion message processing engine (MPE). The next Sentrion releases, MP 4.1.1 and MP 3.1.15, will include an updated version of OpenSSL to address these vulnerabilities. However, until those releases are available and installed, customers can follow the guidance below to protect themselves.

TLS extension parsing race condition (CVE-2010-3864)
----------------------------------------------------
According to the advisory, programs affected by this vulnerability must be multithreaded and using OpenSSL's session caching and TLS extension features. The impact to the Sentrion in this case is limited to the reporting package integrated within the MP v4.0.5 and MP v4.1.0 releases. This impact is further limited to the reporting package's Web GUI, which in a typical deployment environment, is installed within the internal network of an organization without access from the external network. Based on this assessment, the risk level for the Sentrion is low, however the fix for this is targeted for the next release, MP v4.1.1.

OpenSSL Ciphersuite Downgrade Attack (CVE-2010-4180)
----------------------------------------------------
According to the advisory, programs affected by this vulnerability must use OpenSSL's internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (or the SSL_OP_ALL option). The Sentrion MP includes one component that satisfies both criteria -- the sendmail MTA. All other components either only use strong ciphers or don't set that option (nor the SSL_OP_ALL option). This is true for both MP 3.1.6 and later and all releases of MP 4.X. Until customers are able to upgrade to MP 3.1.15 or MP 4.1.1, they can eliminate the expose by not using weak ciphers. This can be done by setting the MTA's CipherList option to "HIGH": 

	LOCAL_CONFIG
	O CipherList=HIGH

OpenSSL JPAKE validation error (CVE-2010-4252)
----------------------------------------------
OpenSSL JPAKE is an experimental implementation in OpenSSL and is therefore not included in the Sentrion MP. Sentrion MP is not affected by this vulnerability.

II. References 

      OpenSSL advisories:	http://www.openssl.org/news/secadv_20101116.txt
				http://www.openssl.org/news/secadv_20101202.txt

      CVEs:			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
				http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
				http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252


Site Map | Privacy Policy | Terms & Conditions | Copyright © 1998-2013 Sendmail, Inc. All Rights Reserved.