Overview Sentrion MP 301 Sentrion MP 302 Sentrion MPQ Sentrion MPV Sentrion DS
Overview Gateway Inbound Outbound Internal Google Gmail
Overview Directory Synchronization Email Architecture Review High Volume Mail HIPAA Policy QUICKStart Implementation Performance Tuning Training Services Overview Message Routing and
Configuration Message Policy
Management Connection Control /
Attack Prevention Directory Configuration
and Management
Overview Compliance Partners Industry Organizations Technology Partners Commercial Milters Open Source Milters System Integrators System Resellers
Overview Silver Support Gold Support Platinum Support Open Source Support Security Advisories Contact Support
Overview Sendmail History Sendmail Customers Events Sendmail News Board & Investors Management Careers
Overview White Papers Highlight Sheets Successs Stories Product Reviews & Awards Archived Webinars Security Chalk Talks IP Reputation Check Real-time Outbreak Monitor
The New Sendmail return to homepage customer login
Support
Overview
Silver Support
Gold Support
Platinum Support
Open Source Support
Security Advisories
Contact Support
 
Contact Us
Resources Center
Success stories, white papers, data sheets, and more!
"Despite highly publicized data leaks, companies struggle to gauge what their risk exposure is.

Only a formal assessment of messaging networks can determine the risks an organization faces."

— Brian Burke
    Research Manager
    IDC Security Products

Sendmail, Inc.
Product Security Advisory SA-200607-01
Frequently Asked Questions

How difficult would it be for someone to exploit this vulnerability?

How can I check my system to see if I am using the affected authd 2.0 daemon?

If I am using Sendmail's authentication daemon, authd version 1.x, does this vulnerability affect my system?

Has anyone been impacted by this?

What would happen if someone does exploit this?

Is this a recently introduced problem, or has it been present for some time?

 

Has Sendmail had similar security issues in the past?

What are you doing to notify affected users?

What should users do until they can install the patches?

What should customers do to request the authd 2.0.3 patch?

How important is this issue,How quickly should I plan to upgrade?

How can I verify this is a legitimate security advisory?
Return to Product Security

How difficult would it be for someone to exploit this vulnerability?

This problem only manifests itself when Sendmail's authentication daemon, authd 2.0 is configured to use third party LDAP servers which have unauthenticated binds enabled. If you are using Sendmail's LDAP or OpenLDAP servers this vulnerability will not affect your environment, since that functionality is disabled by default, unless you have enabled the unauthenticated bind functionality manually.

How can I check my system to see if I am using the affected authd 2.0 daemon?

To check if you're currently running the authentication daemon, we recommend checking each of your servers for authd 2.0 by checking the existence of the authd binary in:

<INSTALL_DIR>/sendmail/authd-2.0/libexec/authd

By default, <INSTALL_DIR> is /usr/local, so you would look for:

/usr/local/sendmail/authd-2.0/libexec/authd

If it is present, you should install the authd 2.0.3 patch.

If I am using Sendmail's authentication daemon, authd version 1.x, does this vulnerability affect my system?

No, this vulnerability only affects authd version 2.0, when used with LDAP servers that have unauthenticated binds enabled.

Has anyone been impacted by this?

No, Sendmail is not currently aware of any customers being exploited by this LDAP empty password vulnerability with the current authentication daemon. This vulnerability is not public and an attack against the exploit is unlikely at this time.

What would happen if someone does exploit this?

If someone knowingly or unknowingly typed in a valid user name with an empty password field they could gain unauthorized access to your system.

Is this a recently introduced problem, or has it been present for some time?

Sendmail was not aware of this vulnerability in authd until just recently, so it has been present for some time without any known incidents or customer reports of unauthorized system access by using an empty password field.

Has Sendmail had similar security issues in the past?

No, Sendmail have never had any reported vulnerabilities with the authentication daemon in the past, this is the first.

What are you doing to notify affected users?

Sendmail is notifying all our commercial customers regarding this vulnerability. Sendmail is committed to providing to our customers immediate availability of the authd 2.0.3 patch to correct the vulnerability.

What should users do until they can install the patches?

Customers can disable the unauthenticated bind operation in their LDAP servers, which will not allow the use of empty or null passwords by any user.

For more information on the LDAP empty password authentication issue, please see the Sendmail-SA-200607-01 Security Advisory.

What should customers do to request the authd 2.0.3 patch?

Sendmail is sending notification to all our commercial customers regarding the availability and download location of the authd patch.

How important is this issue, how quickly should I plan to upgrade?

Sendmail considers this vulnerability to be critical and is advising all customers to download and apply the authd 2.0.3 patch. This vulnerability can have serious implications in that unauthorized users could easily access your system by using an empty password.

How can I verify this is a legitimate security advisory?

Customers can contact Sendmail Technical Support as listed on http://www.sendmail.com/support/contact/ to verify the authenticity of this advisory. The email notification sent to Sendmail customers is signed with PGP, using the Sendmail, Inc. Security Officer PGP key, available at: http://www.sendmail.com/security/security-officer.asc.

How difficult would it be for someone to exploit this vulnerability?

How can I check my system to see if I am using the affected authd 2.0 daemon?

If I am using Sendmail's authentication daemon, authd version 1.x, does this vulnerability affect my system?

Has anyone been impacted by this?

What would happen if someone does exploit this?

Is this a recently introduced problem, or has it been present for some time?

 

Has Sendmail had similar security issues in the past?

What are you doing to notify affected users?

What should users do until they can install the patches?

What should customers do to request the authd 2.0.3 patch?

How important is this issue,How quickly should I plan to upgrade?

How can I verify this is a legitimate security advisory?
Return to Product Security


Site Map | Privacy Policy | Terms & Conditions | Copyright © 1998-2008 Sendmail, Inc. All Rights Reserved.