CERT® Advisory CA-1995-08 Sendmail v.5 VulnerabilityOriginal issue date: August 17, 1995
Last revised: September 23, 1997
Updated copyright statement
A complete revision history is at the end of this file.
The CERT Coordination Center has received reports of a vulnerability in sendmail version 5. Although this version is several years old, it is still in use. The vulnerability enables intruders to gain unauthorized privileges, including root. We recommend installing all patches from your vendor or moving to the current version of Eric Allman's sendmail (version 8.6.12).
The vulnerability is currently present in all versions of IDA sendmail and in some vendors' releases of sendmail. The vendors who have reported to us are listed in Section I.
We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
In sendmail version 5, there is a vulnerability that intruders can exploit to create files, append to existing files, or execute programs.
The vulnerability is currently present in all versions of IDA sendmail and in some vendors' releases of sendmail.
Many vendors have previously installed upgrades or developed patches to address the problem; some are working on patches now. Here is a summary of vendors who reported to us as of the date of this advisory.
More details can be found in the appendix of this advisory, which we will update as we receive additional information.
If you do not see your vendor's name or if you have questions about the version of sendmail at your site, please contact your vendor directly.
Source or Vendor
Freely available and distributable software:Users of the freely available operating systems Linux (systems using sendmail rather than smail), NetBSD, and FreeBSD should upgrade to sendmail 8.6.12.
Local and remote users can create files, append to existing files or run programs on the system. Exploitation can lead to root access.
A. What to do
Ensure that you have kept current with upgrades and patches from your vendor.
If no patch is currently available, an alternative is to install sendmail 8.6.12.
B. What you need to know about sendmail
Sendmail is available by anonymous FTP from
The checksums are
MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea
To restrict sendmail's program mailer facility, obtain and install the sendmail restricted shell program (smrsh) by Eric Allman (the original author of sendmail), following the directions included with the program.
You should run smrsh with any UNIX system that is running sendmail, regardless of vendor or version. Even with Eric Allman's sendmail version 8.6.12, it is necessary for security-conscious sites to use the smrsh program, as this carries out preprocessing of mail headers and adds an extra layer of defense by controlling what programs can be spawned by the incoming mail message. Note that smrsh has now been included as part of the sendmail distribution (effective with 8.7).
We also urge you to ensure that all patches are installed for the distribution of sendmail you are using. Regardless of the vendor or version of your UNIX systems and sendmail, the general advice to "run the smrsh tool in conjunction with the most recently patched version of sendmail for your system" holds true.
Copies of smrsh may be obtained via anonymous FTP from
System V Sum
Depending upon the currently installed sendmail program, switching to a different sendmail may require significant effort (such as rewriting the sendmail.cf file.)
Appendix: Vendor InformationBelow is information we have received from vendors about the vulnerability in sendmail version 5. If you do not see your vendor's name below, contact the vendor directly for information.
Eric AllmanSendmail 8.6.10 and later are not vulnerable. The current version is 8.6.12. Because the current version addresses vulnerabilities that appear in earlier versions, it is a good idea to use 8.6.12.
Sendmail is available by anonymous FTP from
The checksums are
MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea
Apple Computer, Inc.[The following information also appeared in CERT advisory CA-95.05, "Sendmail Vulnerabilities."]
An upgrade to A/UX version 3.1 (and 3.1.1) for these vulnerabilities is available. The upgrade replaces the sendmail binary with the 8.6.10 version. It is available via anonymous FTP from ftp.support.apple:
It is also available via anonymous FTP from abs.apple.com:
In both cases the compressed binary has the following signature:
MD5 (sendmail.Z) = 31bb15604517630f46d7444a6cfab3f1
Uncompress(1) this file and replace the existing version in /usr/lib; be sure to preserve the hard links to /usr/ucb/newaliases and /usr/ucb/mailq, kill the running sendmail and restart.
Earlier versions of A/UX are not supported by this patch. Users of previous versions are encouraged to update their system or compile the latest version of sendmail available from ftp.cs.berkeley.edu.
Customers should contact their reseller for any additional information.
Berkeley Software Design, Inc. (BSDI)BSD/OS V2.0.1 is not vulnerable.
BSD/OS V2.0 users should install patch U200-011, available from ftp.bsdi.com in bsdi/patches/U200-011.
BSDI Support contact information:
Cray Research, Inc.not vulnerable
Data General CorporationDG/UX 5.4R3.00 and 5.4R3.10 (and associated Trusted version) are vulnerable. Patches in progress now.
The upcoming release (R4.10 and R4.11) will not have this vulnerability since these releases ship sendmail version 8.
Digital Equipment Corp.A patch for SENDMAIL (ULTSENDMAIL_EO1044 & OSFSENDMAIL_E01032) has been available for some time, so if you have kept current with patches you are not vulnerable to this particular reported problem.
If you have not applied the kits above, Digital Equipment Corporation strongly urges customers to upgrade to the latest versions of ULTRIX V4.4 or DIGITAL DEC OSF/1 V3.2, then apply the appropriate sendmail solution kit.
The above kits can be obtained through your normal Digital support channels or by access (kit) request via DSNlink, DSIN, or DIA.
Grumman Systems Support Corporation (GSSC)GSSC now performs all Solbourne software and hardware support.
We recommend running sendmail 8.6.10 (or later revision.) 8.6.12 has proven reliable in production use on Solbourne systems.
We plan to release the Solbourne version of the Sun patch when it becomes available.
Harris Computer Systemsnot vulnerable
Hewlett-Packard CompanyHewlett-Packard issued security bulletin #25 on April 2, 1995 announcing patches and describing a fix. The patches are
PHNE_5402 (series 700/800, HP-UX 9.x), or PHNE_5401 (series 700/800, HP-UX 8.x), or PHNE_5384 (series 300/400, HP-UX 9.x), or PHNE_5383 (series 300/400, HP-UX 8.x), or PHNE_5387 (series 700, HP-UX 9.09), or PHNE_5388 (series 700, HP-UX 9.09+), or PHNE_5389 (series 800, HP-UX 9.08)The bulletin is available from the HP SupportLine and from http://www.hp.com
in the HPSL category and from http://support.mayfield.hp.com.
Patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available via anonymous FTP at ftp.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval".
IBM CorporationA patch (ptf U425863) has been available for AIX 3.2 for some time. To determine if you have this ptf on your system, run the following command:
% lslpp -lB U425863
If you have not already applied the patch, you can order it from IBM as APAR ix40304 To order APARs from IBM in the U.S., call 1-800-237-5511. To obtain APARs outside of the U.S., contact your local IBM representative.
OS Version Status ------------------ ------------ ------------------------------ EWS-UX/V(Rel4.0) R1.x - R6.x vulnerable EWS-UX/V(Rel4.2) R7.x - R10.x vulnerable patch available EWS-UX/V(Rel4.2MP) R10.x vulnerable patch available UP-UX/V R1.x - R4.x vulnerable UP-UX/V(Rel4.2MP) R5.x - R7.2 vulnerable patch available except for R5.x UX/4800 R11.x not vulnerable
Contacts for further information:
NeXT Computer, Inc.The sendmail executables included with all versions of NEXTSTEP up to and including release 3.3 are vulnerable to this problem. The SendmailPatch previously released for NEXTSTEP 3.1 and 3.2 is also vulnerable.
An updated patch is planned which will address this vulnerability. The availability of this patch will be indicated in the NeXTanswers section of http://www.next.com/. For further information you may contact NeXT's Technical Support Hotline at (+1-800-955-NeXT) or via email to ask_next@NeXT.com.
Open Software Foundationnot vulnerable
The Santa Cruz OperationSupport Level Supplement (SLS) net382e, contains a patched version of sendmail for the following releases:
SCO TCP/IP Runtime System Release 1.2.1
SCO OpenServer 5 contains Sendmail version 8.6.8, and contains fixes to all problems reported in this and previous sendmail advisories. Users of previous releases should consider updating.
NOTE: The MMDF (M)ulti-Channel (M)emorandum (D)istribution (F)acility is the default mail system on SCO systems. The MMDF mail system is not affected by any of the problems mentioned in these advisories. Administrators who wish to use sendmail must specifically configure the system to do so during or after installation.
To acquire SLS net382e:
Anonymous ftp on the Internet: ============================== ftp://ftp.sco.COM/SLS/net382e.Z (disk image) ftp://ftp.sco.COM/SLS/net382e.ltr.Z (documentation) Anonymous uucp: =============== United States: -------------- sosco!/usr/spool/uucppublic/SLS/net382e.Z (disk image) sosco!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation) United Kingdom: --------------- scolon!/usr/spool/uucppublic/SLS/net382e.Z (disk image) scolon!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation) The telephone numbers and login names for the machines sosco and scolon are provided with the default /usr/lib/uucp/Systems file shipped with every SCO system. The checksums for the files listed above are as follows: file sum -r md5 =========================== ================================ net382e.Z: 29715 1813 41efeaaa855e4716ed70c12018014092 net382e.ltr.Z 52213 14 287ba6131519cba351bc58cb32880fda The Support Level Supplement is also available on floppy media from SCO Support at the following telephone numbers: USA/Canada: 6am-5pm Pacific Daylight Time (PDT) ----------- 1-408-425-4726 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Daylight Time (PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:00pm Greenwich Mean Time (GMT) ---------------------------- +44 1923 816344 (voice) +44 1923 817781 (fax)
Silicon Graphics Inc.On February 22, 1995, Silicon Graphics issued security advisory 19950201 addressing sendmail issues being raised at the time and previous older version sendmail issues. Patches are still available and as part of these patches, sendmail version 8.6.12 is provided as standard. At the time of this writing here is the patch information.
**** IRIX 3.x ****
However, two possible actions still remain: 1) upgrade the system to a supported version of IRIX (see below) and then install the binary/patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually.
**** IRIX 4.x ****
Binaries can be found at ftp://ftp.sgi.com/ftp/Patches/4.x but not at the alternative location, ~ftp/Security.
##### Checksums as of August 17, 1995, 5 p.m. EDT #### Filename: sendmail.new.Z Algorithm #1 (sum -r): 30749 422 sendmail.new.Z Algorithm #2 (sum): 62511 422 sendmail.new.Z MD5 checksum: AB327D85D40085D74E9C230EB1A002C3Note: SGI plans to upgrade the IRIX 4.x patch soon. If there is a difference between the checksums of the file you obtain and those reported here, you should rely on SGI's <sendmail-filename>.pgp.and.chksums file.
After obtaining the binary, it may be installed with the instructions
1) Become the root user on the system. % /bin/su - Password: # 2) Stop the current mail processes. # /etc/init.d/mail stop 3) Rename the current sendmail binary to a temporary name. # mv /usr/lib/sendmail /usr/lib/sendmail.stock 4) Change permissions on the old sendmail binary so it can not be used anymore. # chmod 0400 /usr/lib/sendmail.stock 5) Uncompress the binary. # uncompress /tmp/sendmail.new.Z 6) Put the new sendmail binary into place (in the example here the binary was retrieved via anonymous ftp and put in /tmp) # mv /tmp/sendmail.new /usr/lib/sendmail 7) Insure the correct permissions and ownership on the new sendmail. # chown root.sys /usr/lib/sendmail # chmod 4755 /usr/lib/sendmail 8) Restart the mail system with the new sendmail binary in place. # /etc/init.d/mail start 9) Return to normal user level. # exit
**** IRIX 5.0.x, 5.1.x ****
**** IRIX 5.2, 5.3, 6.0, 6.0.1 ****
The SGI anonymous ftp site is ftp.sgi.com (22.214.171.124). Patch 332 can be found in the following directories on the ftp server:
For obtaining security information, patches or assistance, please contact your SGI support provider.
If there are questions about this patch information, email can be sent to firstname.lastname@example.org.
For reporting new SGI security issues, email can be sent to email@example.com.
Solbournesee Grumman Systems Support Corporation
Sun Microsystems, Inc.Solaris 2.x is not vulnerable.
Sun OS 4.1.3, 4.1.37_u1, and 4.1.4 are vulnerable, and a patch will be available soon.
This patch can be obtained from local Sun Answer Centers and through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, the patch is available from mcsun.eu.net (126.96.36.199) in the /sun/fixes directory.
The CERT Coordination Center staff thanks the vendors listed in this advisory, along with Karl Strickland and Neil Woods for their support in the development of this advisory.
This document is available from: http://www.cert.org/advisories/CA-1995-08.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1995, 1996 Carnegie Mellon University.
Sep. 23, 1997 Updated copyright statement Aug. 07, 1996 Information previously in the README was inserted into the advisory. Nov. 07, 1995 Sec. III.B.2 - emphasized that smrsh should be run with all versions of sendmail. Sep. 20, 1995 Sec. I - changed "public domain" to "freely available." Appendix - added an entry for Data General. Aug. 21, 1995 Sec. III.B and appendix, Eric Allman - added a German FTP site for sendmail and corrected the URL for Australia. Appendix, Silicon Graphics - corrected information for 4.x Appendix, Sun - corrected a typo in the OS number