Security Experts Warn Of E-Mail Software Flaw


Vulnerability affects widely used Sendmail


A major flaw in a popular e-mail software program could allow an attacker to take over vulnerable servers, security experts said Monday.

Researchers at Atlanta-based Internet Security Systems (ISS) said they discovered a buffer overflow vulnerability in the open-source Sendmail Mail Transfer Agent (MTA), which they said is used to handle 50 percent to 75 percent of all Internet e-mail traffic.

An attacker who exploits the flaw could take over a vulnerable server running Sendmail software, disrupting e-mail systems and clogging the Internet with a high volume of traffic, according to ISS X-Force researchers. Attackers also could tamper with incoming and outgoing messages.

"This vulnerability is especially dangerous because an exploit developed can be delivered within an e-mail message and the attacker doesn't need any specific knowledge of the target to launch a successful attack," ISS said in an advisory.

Firewalls and packet filters won't protect vulnerable Sendmail servers, the company said.

The vulnerability affects systems running open-source Sendmail versions prior to 8.12.8, including Unix and Linux systems, according to the CERT Coordination Center at Carnegie Mellon University. The flaw affects commercial versions of the software from Emeryville, Calif.-based Sendmail: Sendmail Switch, Sendmail Advanced Message Server and Sendmail for NT.

The Department of Homeland Security and the National Infrastructure Protection Center issued an alert about the flaw Monday and advised system administrators to either upgrade their Sendmail software or apply appropriate patches. Patches are available from Sendmail and vendors that incorporate Sendmail into their applications, including IBM, Hewlett-Packard and Sun Microsystems.

According to CERT, Sendmail is the most popular MTA, and most midsize and large organizations are likely to have a vulnerable Sendmail server. CERT also said many Unix and Linux workstations have a Sendmail implementation that runs by default.