From support@us.external.hp.com Wed Mar 13 01:01:45 1996 Date: Wed, 13 Mar 1996 01:09:41 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9311-001 -------- ## Regarding your request: Send Doc HPSBUX9311-001 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9311-001] Date Loaded: [02-05-94] Description: Security Vulnerability in Sendmail =============================================================================== ----------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00001, 12 November 93 ----------------------------------------------------------------------- _______________________________________________________________________ PROBLEM: Security vulnerability in sendmail in all releases of HP-UX PLATFORM: HP 9000 series 300/400s and 700/800s DAMAGE: A mail message can trigger arbitrary commands to be executed as any user except root. SOLUTION: Apply patch PHNE_3369 (series 300/400, HP-UX 8.x), or PHNE_3370 (series 300/400, HP-UX 9.x), or PHNE_3371 (series 700/800, HP-UX 8.x), or PHNE_3372 (series 700/800, HP-UX 9.x), or modify the sendmail configuration file (releases of HP-UX prior to 8.0) AVAILABILITY: Wednesday 17 November _______________________________________________________________________ I. Sendmail Update A. Recent CERT advisory on Sendmail A recent CERT advisory (CERT CA-93:16) described a vulnerability in most versions of sendmail that allowed "unauthorized remote or local users to execute programs as any system user other than root." "This vulnerability affects the final destination sendmail host and can be exploited through an intermediate mail machine. Therefore, all sendmail recipient machines within a domain are potentially vulnerable." It has been found that all HP-UX systems have this sendmail vulnerability. This serious security vulnerability allows a malicious user to cause arbitrary commands to be executed on a vulnerable system. These commands can be run as any user except root. The commands are sent to the user in a specially-formatted electronic mail message which exploits the vulnerability. B. Fixing the problem The vulnerability can be eliminated from releases 8.x and 9.x of HP-UX by applying a patch. Releases of HP-UX prior to 8.0 must modify the sendmail configuration file (/usr/lib/sendmail.cf) to disable the ``prog'' mailer function; no patch will be available for releases of HP-UX prior to 8.0. THIS VULNERABILITY IS EXPLOITED WITH ELECTRONIC MAIL MESSAGES, MEANING THAT EVERY HP-UX SYSTEM RUNNING SENDMAIL IS VULNERABLE. Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems either apply the appropriate patch or edit the sendmail configuration file as soon as possible. C. How to Install the Patch (for HP-UX 8.x and 9.x) (NOTE: Since patches will not be available until Wednesday, November 17, HP-UX 8.x and 9.x systems can be protected until that time by disabling the sendmail ``prog'' mailer as mentioned below in section D. for HP-UX 6.x and 7.x systems.) 1. Determine which patch is appropriate for your hardware platform and operating system: PHNE_3369 -- Series 300/400, HP-UX 8.x PHNE_3370 -- Series 300/400, HP-UX 9.x PHNE_3371 -- Series 700/800, HP-UX 8.x PHNE_3372 -- Series 700/800, HP-UX 9.x 2. Get a copy of the patch from one of the following locations: a. Auto-Patch Email If you know the name of the patch needed, Email to hprc_patch@hprc.atl.hp.com with the subject of the message stated as "patch phkl_9999 rchandle" where phkl_9999 is the patch name, rchandle is your Response Center system identifier or company name if you are not currently under Response Center support. It will automatically be emailed back to you. b. HP SupportLine Effective early 1993, all new patches are loaded on HPSL. If you don't have HPSL access or need to know how to sign on, in the U.S. you can call the following numbers: Response Center Customers: 1-800-633-3600 BasicLine Customers: 1-415-691-3888 Outside the U.S., contact your local Response Center. Note that a list of patches can be obtained at any time by emailing to hprc_patch@hprc.atl.hp.com with the subject of the message stated as "p-list rchandle", where rchandle is your Response Center system identifier or your company name if you are not currently under Response Center support. The list will automatically be emailed back to you. The list includes a short description of the patch. A more detailed patch description is included in the patch itself. 3. Apply the patch to your HP-UX system. a. Become superuser (or root). b. At the shell prompt, type "cd /tmp" c. At the shell prompt, type "sh /tmp/PHNE_33nn" d. At the shell prompt, for 9.x systems type "/etc/update -s /tmp/PHNE_33nn.updt \*" and for 8.x systems (s700) type "/etc/update -S700 -s /tmp/PHNE_33nn.updt \*" or for 8.x systems (s800) type "/etc/update -S800 -s /tmp/PHNE_33nn.updt \*" or for 8.x systems (s300 or s400) type "/etc/update -S300 -s /tmp/PHNE_33nn.updt \*" Note: "nn" refers to the last two digits of the appropriate patch from the list in step 1. The update process kills the running sendmail, replaces the /usr/lib/sendmail binary, and starts the new sendmail. If you do not have a frozen configuration file (/usr/lib/sendmail.fc), skip to step 4. If you do use a frozen configuration file, continue with step 3e. e. Kill the running sendmail. At the shell prompt, type: "/usr/lib/sendmail -bk" f. Freeze the configuration file. At the shell prompt, type: "/etc/freeze" g. Restart the sendmail daemon. At the shell prompt, type: "/usr/lib/sendmail -bd -q30m" 4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This can be done as follows: a. At the shell prompt, type "tail -60 /tmp/update.log | more" b. Page through the next three screens via the space bar, looking for WARNING or ERROR messages. D. How to modify the sendmail.cf file (releases of HP-UX prior to 8.0) (NOTE: This workaround only applies to versions of HP-UX prior to 8.0. Later versions of HP-UX should follow the patch installation instructions above; UNTIL THE ABOVE PATCH IS INSTALLED, however, THIS APPROACH CAN BE USED to protect the system.) The workaround for HP-UX 6.x and 7.x sendmail involves modifying the sendmail configuration file (/usr/lib/sendmail.cf). However, this approach disables the sendmail program mailer facility. THIS MEANS THAT PROGRAMS THAT ARE DESIGNED TO RECEIVE MAIL FROM SENDMAIL WILL NOT WORK! For example, ``vacation'' is a program that is frequently sent to in users' .forward files. With this workaround, ``vacation'' will no longer work! So, all programs that are designed to receive mail from sendmail should be moved to computers that have the patched version of sendmail for HP-UX 8.x and 9.x. 1. Save a copy of the existing sendmail.cf file. 2. Use an editor to modify the sendmail.cf file: change line: Mprog, P=/bin/sh, F=DFMPlshu, S=10, R=20, A=sh -c $u to: Mprog, P=/bin/false, F=DFMPlshu, S=10, R=20, A=sh -c $u 3. Once this change has been made, you must kill the sendmail daemon, freeze the sendmail configuration, and restart sendmail. The commands are: a. Kill sendmail daemon /usr/lib/sendmail -bk b. Freeze the sendmail configuration file /etc/freeze c. Restart the sendmail daemon: /usr/lib/sendmail -bd -q30m E. Impact of the patch and workaround The patch for HP-UX releases 8.x and 9.x provides a new version of /usr/lib/sendmail which fixes the vulnerability. No patches will be available for versions of HP-UX prior to 8.0. Instead, the workaround to disable the ``prog'' mailer by modifying the sendmail configuration file is required.