Overview Sentrion MP 301 Sentrion MP 302 Sentrion MPQ Sentrion MPV Sentrion DS
Overview Gateway Inbound Outbound Internal Google Gmail
Overview Directory Synchronization Email Architecture Review High Volume Mail HIPAA Policy QUICKStart Implementation Performance Tuning Training Services Overview Message Routing and
Configuration Message Policy
Management Connection Control /
Attack Prevention Directory Configuration
and Management
Overview Compliance Partners Industry Organizations Technology Partners Commercial Milters Open Source Milters System Integrators System Resellers
Overview Silver Support Gold Support Platinum Support Open Source Support Security Advisories Contact Support
Overview Sendmail History Sendmail Customers Events Sendmail News Board & Investors Management Careers
Overview White Papers Highlight Sheets Successs Stories Product Reviews & Awards Archived Webinars Security Chalk Talks IP Reputation Check Real-time Outbreak Monitor
The New Sendmail return to homepage customer login
Support
Overview
Silver Support
Gold Support
Platinum Support
Open Source Support
Security Advisories
Contact Support
 
Contact Us
Resources Center
Success stories, white papers, data sheets, and more!
"Despite highly publicized data leaks, companies struggle to gauge what their risk exposure is.

Only a formal assessment of messaging networks can determine the risks an organization faces."

— Brian Burke
    Research Manager
    IDC Security Products

Sendmail, Inc.
Product Security Advisory SA-200607-03
Frequently Asked Questions

How was this issue discovered?

How difficult would it be for someone to exploit this vulnerability?

Has anyone been impacted by this?

What should a user look for to know if they have been impacted?

What would happen if someone does exploit this?

Are sendmail MTAs behind my firewall vulnerable?

Is this a recently introduced problem, or has it been present for some time?

What are you doing to notify affected users?

What should users do until they can install the patches?

What should the users do to request the patches?

  

What about 3rd party vendors using the sendmail MTA or who use the milter API in the sendmail MTA?

How important is this issue; how quickly should I plan to upgrade?

What are my options?

Will this issue shut down my server?

Will this issue cause me to lose mail?

What are all the new changes included in the Flow Control Filter 1.4.1, 1.6.3, and Sentrion 1.5.4 patches?

How can I verify this is a legitimate security advisory?

Return to Product Security

How was this issue discovered?

The issue was discovered when researching a customer bug report unrelated to any attack.

How difficult would it be for someone to exploit this vulnerability?

Once the vulnerability is discovered, it is easy to exploit for denial of service, but difficult to exploit to run arbitrary code. Once exploited the injected code would execute with the privileges of the running Flow Control Filter, which by default runs without root privileges.

Has anyone been impacted by this?

The reporting customer experienced a crash, but it is unrelated to any malicious activity.

What should a user look for to know if they have been impacted?

For a denial of service attack, you will find logs reporting that Flow Control Filter crashed. For the injection of arbitrary code, there may be no trace.

What would happen if someone does exploit this?

Depending on the configuration of the milter in the sendmail configuration file, all messages will be temp-failed (F=T), rejected (F=R), or accepted without being filtered through the Flow Control Filter. If arbitrary code is injected, that code would run with the privileges of the Flow Control user.

Are sendmail MTAs behind my firewall vulnerable?

Yes, sendmail MTAs behind a firewall are vulnerable because this exploit is driven by the sender and recipient addresses of a message.

Is this a recently introduced problem, or has it been present for some time?

All versions prior to 1.4.1 and 1.6 versions prior to 1.6.3 of the Flow Control Filter are vulnerable. Sentrion versions prior to 1.5.4 are also vulnerable.

What are you doing to notify affected users?

Sendmail has notified supported and unsupported customers in advance of the public announcement of the issue and provided patches to those customers.

What should users do until they can install the patches?

Sendmail suggests not implementing sender or recipient filtering in the Flow Control Filter until the patch is installed.

What should the users do to request the patches?

Sendmail has notified our commercial customers about the patches and provided the information on how to download and obtain these patches.

What about 3rd party vendors using the sendmail MTA or who use the milter API in the sendmail MTA?

This issue does not impact the sendmail MTA and no third parties rely on the affected product.

How important is this issue, how quickly should I plan to upgrade?

Sendmail's threat assessment of this issue is critical. This vulnerability has serious impact on the effectiveness of the Flow Control Filter. A workaround or patch should be deployed as soon as possible.

What are my options?

Your options are:

1. Patch your system; or
2. Configure your filter to avoid the impacts.

See "What should users do until they can install the patches?" above for more information.

Will this issue shut down my server?

This issue will not shut down your server. However, it may, depending on the configuration of the Flow Control Filter in the sendmail MTA, prevent mail from being routed through the MTA.

Will this issue cause me to lose mail?

No, this vulnerability will not cause you to lose mail.

Is this issue related to the recent security vulnerability in certain versions of sendmail Mail Transfer Agent?

No, this vulnerability is not related to the recent Sendmail MTA security vulnerability. However, the Switch 3.1.10 and 3.2.3 releases include fixes for past vulnerabilities.

What are all the new changes included in the Switch for Windows 3.1.5, Switch 3.1.10, Switch 3.2.3, and Sentrion 1.5.4 patches?

The new versions of the Flow Control Filter and the Sentrion appliance contain changes to resolve this vulnerability.

How can I verify this is a legitimate security advisory?

Customers can contact Sendmail Technical Support as listed on http://www.sendmail.com/support/contact/ to verify the authenticity of this advisory. The email notification sent to Sendmail customers is signed with PGP, using the Sendmail, Inc. Security Officer PGP key, available at: http://www.sendmail.com/security/security-officer.asc.

How was this issue discovered?

How difficult would it be for someone to exploit this vulnerability?

Has anyone been impacted by this?

What should a user look for to know if they have been impacted?

What would happen if someone does exploit this?

Are sendmail MTAs behind my firewall vulnerable?

Is this a recently introduced problem, or has it been present for some time?

What are you doing to notify affected users?

What should users do until they can install the patches?

What should the users do to request the patches?

  

What about 3rd party vendors using the sendmail MTA or who use the milter API in the sendmail MTA?

How important is this issue; how quickly should I plan to upgrade?

What are my options?

Will this issue shut down my server?

Will this issue cause me to lose mail?

What are all the new changes included in the Flow Control Filter 1.4.1, 1.6.3, and Sentrion 1.5.4 patches?

How can I verify this is a legitimate security advisory?

Return to Product Security



Site Map | Privacy Policy | Terms & Conditions | Copyright © 1998-2008 Sendmail, Inc. All Rights Reserved.