ECO NUMBER: ULTSENDMAIL_E01044 ----------- PRODUCT: ULTRIX Operating System -------- UPDATED PRODUCT: ULTRIX Operating System V4.3 thru V4.4 ---------------- APPRX BLCK SIZE: 1986560 bytes ---------------- Digital Equipment Corporation TITLE: Potential Security Vulnerability Sendmail V5.65 ULTRIX V4.3, V4.3a, V4.4 IMPACT: URGENT A potential security vulnerability has been discovered where under certain circumstances authorized users may gain unauthorized privileges. The potential vulnerability has been recently published in various advisories distributed across Internet, to various media and mail distributions. ACTION: Upgrade to at least DEC ULTRIX V4.3 and install this kit. Versions of DEC ULTRIX to which this kit may be applied: DEC ULTRIX V4.3, V4.3a, V4.4 Files patched or replaced: /usr/lib/sendmail Problems addressed in this kit: (VAX V4.3, RISC V4.3, RISC V4.3a, VAX V4.4, RISC V4.4) o A potential security vulnerability has been discovered where under certain circumstances authorized users may gain unauthorized privileges. o sendmail was failing when large distribution lists were used. A typical error message was "Unbalanced <" when the original distribution list was well-formed. (VAX V4.3, RISC V4.3, RISC V4.3a) o When mail is queued due to heavy load average the mail size is not checked. The mail is later sent even if the size exceeds the maximum size specified by the M option in /etc/sendmail.cf (VAX V4.3, RISC V4.3) o Excess network traffic is created on the domain master server and the root servers. This problem occured because sendmail does a dns lookup of the machine name during the smtp HELO for all connection to sendmail. That means that even DECnet connections would cause a dns lookup. But those lookups would always fail, all the way back to the root servers. In this patched version of sendmail the lookup is only done if the connection is made to sendmail via the IP circuit. (VAX V4.4) o sendmail dies with "bus error (core dumped)" on VAX machines while trying to resolve an address that has an MX record. (VAX V4.3, RISC V4.3) o Sendmail does a DNS lookup and returns a pointer beyond the valid address which causes bus error and core-dump. With the fix, especially for VAX's platform, the unsigned long pointer will not be a negative number which allows a DNS lookup getting out of the loop and returns the pointer to the hostname correctly. Installation instructions: This kit provides 5 images, each for a different version(s) of DEC ULTRIX. When the tar file is unpacked the following files will be available: sendmail.v43RISC sendmail.v43VAX sendmail.v43aRISC sendmail.v44VAX sendmail.v44RISC o Become super-user o Choose the image appropriate for your system and verify the checksum Image Checksum ---------------------------------- sendmail.v43RISC 49495 490 sendmail.v43VAX 29158 212 sendmail.v43aRISC 34632 508 sendmail.v44VAX 30909 508 sendmail.v44RISC 24745 213 o Kill the running sendmail daemon. The following command will provide the pid for the running sendmail daemon: ps -aux |grep send o Copy the appropriate file for your system to /usr/lib/sendmail and set its ownership and mode as follows: -rwsr-xr-x 1 root system /usr/lib/sendmail o Restart the sendmail daemon /usr/lib/sendmail -bz /usr/lib/sendmail -bd -q15m As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. Copyright Digital Equipment Corporation 1995. All Rights reserved. This software is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Digital or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Digital makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.