The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sendmail

vulnerability CVE-2015-4000

TLS: weakening Diffie-Hellman via Logjam

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Impacted products: Apache httpd, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Clearswift Email Gateway, Debian, Summit, Fedora, FileZilla Server, FreeBSD, HPE BSM, HPE NNMi, HP Operations, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, lighttpd, ePO, Firefox, NSS, MySQL Community, MySQL Enterprise, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Solaris, Palo Alto Firewall PA***, PAN-OS, Percona Server, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, Postfix, SSL protocol, Pulse Connect Secure, Puppet, RHEL, JBoss EAP by Red Hat, Sendmail, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 20/05/2015.
Revision date: 20/05/2015.
Identifiers: 1610582, 1647054, 1957980, 1958984, 1959033, 1959539, 1959745, 1960194, 1960418, 1960862, 1962398, 1962694, 1963151, 9010038, 9010039, 9010041, 9010044, BSA-2015-005, bulletinjan2016, bulletinjul2015, c04725401, c04760669, c04767175, c04770140, c04773119, c04773241, c04774058, c04778650, c04832246, c04918839, c04926789, CERTFR-2016-AVI-303, CTX216642, CVE-2015-4000, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3688-1, FEDORA-2015-10047, FEDORA-2015-10108, FEDORA-2015-9048, FEDORA-2015-9130, FEDORA-2015-9161, FreeBSD-EN-15:08.sendmail, FreeBSD-SA-15:10.openssl, HPSBGN03399, HPSBGN03407, HPSBGN03411, HPSBGN03417, HPSBHF03433, HPSBMU03345, HPSBMU03401, HPSBUX03363, HPSBUX03388, HPSBUX03435, HPSBUX03512, JSA10681, Logjam, NetBSD-SA2015-008, NTAP-20150616-0001, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1209-1, openSUSE-SU-2015:1216-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0226-1, openSUSE-SU-2016:0255-1, openSUSE-SU-2016:0261-1, openSUSE-SU-2016:2267-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1072-01, RHSA-2015:1185-01, RHSA-2015:1197-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SA111, SA40002, SA98, SB10122, SSA:2015-219-02, SSRT102180, SSRT102254, SSRT102964, SSRT102977, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1177-1, SUSE-SU-2015:1177-2, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, SUSE-SU-2015:1268-1, SUSE-SU-2015:1268-2, SUSE-SU-2015:1269-1, SUSE-SU-2015:1581-1, SUSE-SU-2016:0224-1, SUSE-SU-2018:1768-1, TSB16728, USN-2624-1, USN-2625-1, USN-2656-1, USN-2656-2, VIGILANCE-VUL-16950, VN-2015-007.

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. The DHE_EXPORT suite uses prime numbers smaller than 512 bits.

The Diffie-Hellman algorithm is used by TLS. However, during the negotiation, an attacker, located as a Man-in-the-Middle, can force TLS to use DHE_EXPORT (event if stronger suites are available).

This vulnerability can then be combined with VIGILANCE-VUL-16951.

An attacker, located as a Man-in-the-Middle, can therefore force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 16951

TLS, SSH, VPN: weakening Diffie-Hellman via common primes

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can obtain the DH keys used by the TLS/SSH/VPN client/server, in order to more easily capture or alter exchanged data.
Impacted products: Apache httpd, AnyConnect VPN Client, IVE OS, Juniper SA, lighttpd, nginx, OpenSSH, OpenSSL, Openswan, Postfix, SSL protocol, Sendmail.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 20/05/2015.
Identifiers: VIGILANCE-VUL-16951.

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. It is used by TLS, SSH and VPNs (IPsec).

Most servers use the same prime numbers (standardized in RFC 3526). An attacker can thus pre-compute values (100000 core CPU hours, so during a week for 512 bits with 100 computers approximately) and use the "number field sieve discrete log algorithm" attack to quickly obtain the used DH keys, and decrypt a session.

The 512 bits sets are considered as broken, and the 1024 bits sets are considered as breakable by a state.

For TLS, this vulnerability can be exploited after Logjam (VIGILANCE-VUL-16950).

An attacker, located as a Man-in-the-Middle, can therefore obtain the DH keys used by the TLS/SSH/VPN client/server, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 15749

Sendmail: privilege escalation via File Descriptors

Synthesis of the vulnerability

A local attacker can access to file descriptors left open by Sendmail, in order to escalate his privileges.
Impacted products: Sendmail.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 08/12/2014.
Identifiers: VIGILANCE-VUL-15749.

Description of the vulnerability

The Sendmail product calls external programs using functions of the exec() family.

However, file descriptors are not always closed before calling these programs. These may thus access to Sendmail data.

A local attacker can therefore access to file descriptors left open by Sendmail, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-3956

Sendmail: privilege escalation via File Descriptors

Synthesis of the vulnerability

A local attacker can access to file descriptors of Sendmail, in order to escalate his privileges.
Impacted products: Fedora, FreeBSD, HP-UX, AIX, OpenBSD, openSUSE, Solaris, Sendmail, Slackware.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 21/05/2014.
Identifiers: c05216368, CVE-2014-3956, FEDORA-2014-7093, FEDORA-2014-7095, FreeBSD-SA-14:11.sendmail, HPSBUX03632, MDVSA-2014:147, MDVSA-2015:128, openSUSE-SU-2014:0804-1, openSUSE-SU-2014:0805-1, SSA:2014-156-04, SSRT110194, VIGILANCE-VUL-14780.

Description of the vulnerability

The Sendmail product allows a local user to define a program to be executed when he receives an email (for example with procmail).

However, before executing this external program, Sendmail does not close its file descriptors. This program can thus for example access to the file descriptor of the SMTP session.

A local attacker can therefore access to file descriptors of Sendmail, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-4565

Sendmail: truncation of X.509 with null

Synthesis of the vulnerability

When Sendmail uses certificates, an attacker can send a X.509 certificate with a Subject/Issuer field containing a null character, in order to bypass access restrictions.
Impacted products: Debian, Fedora, HP-UX, AIX, Mandriva Linux, Mandriva NF, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, Sendmail, SLES, TurboLinux.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 31/12/2009.
Identifiers: 275870, 6913961, BID-37543, c02009860, CERTA-2010-AVI-123, CVE-2009-4565, DSA-1985-1, FEDORA-2010-5399, FEDORA-2010-5470, HPSBUX02508, IZ72510, IZ72515, IZ72526, IZ72528, IZ72539, IZ72602, MDVSA-2010:003, RHSA-2010:0237-05, RHSA-2011:0262-01, SSRT100007, SUSE-SR:2010:006, TLSA-2010-3, VIGILANCE-VUL-9321.

Description of the vulnerability

Sendmail can be configured to use X.509 certificates.

However, when a X.509 certificate contains a null character in the Subject/Issuer field, Sendmail truncates this field. This vulnerability is similar to VIGILANCE-VUL-8908, even if the vulnerable source code is different.

When Sendmail uses certificates, an attacker can therefore send a X.509 certificate with a Subject/Issuer field containing a null character, in order to bypass access restrictions.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-1490 CVE-2009-1491

Sendmail: buffer overflow via X-Testing

Synthesis of the vulnerability

On old Sendmail versions, an attacker can use a long X-Testing header in order to generate a denial of service and possibly to execute code.
Impacted products: Sendmail.
Severity: 2/4.
Consequences: user access/rights, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/05/2009.
Identifiers: BID-34944, BID-34949, CVE-2009-1490, CVE-2009-1491, VIGILANCE-VUL-8698.

Description of the vulnerability

A vulnerability was announced in 2009, about Sendmail versions available in 2004.

An email is composed of headers and a body. Headers can contain extensions starting by "X-".

When the first header is a long extension, Sendmail tries to split it on several lines. However, two cases can occur:
 - a computation error generates a buffer overflow
 - the end of the header can be inserted in the message body

This vulnerability can therefore lead:
 - to a denial of service or to code execution
 - to a malformed email which can bypass an antivirus.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 7301

Sendmail: denial of service via MIME

Synthesis of the vulnerability

An attacker can use long MIME lines in order to generate an error in Sendmail.
Impacted products: Sendmail.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 02/11/2007.
Identifiers: VIGILANCE-VUL-7301.

Description of the vulnerability

The MaxMimeHeaderLength directive, introduced in Sendmail version 8.10.0, defines maximal size of MIME headers:
  MaxMimeHeaderLength=max_total/max_each_parameter

When this directive is enabled (case by default), the mime8to7() function of sendmail/mime.c file does not correctly handle lines whose size reaches MAXLINE-1 characters. An error thus occurs. This error can stop the daemon.

An attacker can therefore send a malicious email in order to create a denial of service on Sendmail.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-4434

Sendmail: denial of service when finishing

Synthesis of the vulnerability

An attacker can create a malicious message stopping Sendmail.
Impacted products: Debian, AIX, Mandriva Linux, Mandriva NF, OpenBSD, openSUSE, Solaris, Sendmail, TurboLinux.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 28/08/2006.
Revision date: 30/08/2006.
Identifiers: 102664, 6458595, BID-19714, CERTA-2006-AVI-378, CVE-2006-4434, DSA-1164-1, IZ25577, MDKSA-2006:156, SUSE-SR:2006:021, TLSA-2006-28, VIGILANCE-VUL-6126.

Description of the vulnerability

The finis() function ends a session.

When a message contains long headers, this function continues to use the CurEnv->e_to pointer, which was freed. This error stops the process.

An attacker can therefore create a malicious message in order to stop Sendmail. As this error occurs at session end, its impact is small.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2006-1173

Sendmail: denial of service via a MIME message

Synthesis of the vulnerability

An attacker can create an email containing deeply nested MIME in order to exhaust memory space of process.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, Mandriva Linux, Mandriva NF, NetBSD, OpenBSD, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Sendmail, Slackware, SLES, TurboLinux.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 15/06/2006.
Identifiers: 102460, 20060601-01-P, 20060602-01-U, 373801, 380258, 6424201, BID-18433, c00680632, c00692635, CERTA-2006-AVI-246, CERTA-2006-AVI-336, CVE-2006-1173, DSA-1155-1, DSA-1155-2, DUXKIT1000636-V40FB22-ES-20060519, FEDORA-2006-836, FEDORA-2006-837, FLSA-2006:195418, FreeBSD-SA-06:17.sendmail, HPSBTU02116, HPSBUX02124, MDKSA-2006:104, NetBSD-SA2006-017, RHSA-2006:051, RHSA-2006:0515-01, SA-200605-01, SSA:2006-166-01, SSRT061135, SSRT061159, SUSE-SA:2006:032, T64V51AB-IX-631-SENDMAIL-SSRT-061135, TLSA-2006-9, VIGILANCE-VUL-5924, VU#146718.

Description of the vulnerability

An email can contain several parts separated by MIME headers. Each part can also contain data encapsulated with MIME headers.

When Sendmail has to transfer an email to a MTA server which does not support binary data on 8 bit, message is converted to 7 bit using mime8to7() function. Each time this function is called, an important stack memory area is used.

When the mail to transfer contains deeply nested MIME, the mime8to7() function can use all available stack area. The process then stops and a core dump is eventually generated.

The main Sendmail process is not stopped, but when the bad email is in the queue, following emails are not transmitted. Moreover, core dumps can fill the disk.

An attacker can therefore create a malicious email to disturb Sendmail and saturate computer, but without fully stopping the service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-0058

Sendmail: code execution via signals

Synthesis of the vulnerability

An attacker can connect to a server to generate a race condition in asynchronous signals, and that could lead to code execution.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, Mandriva Linux, Mandriva NF, NetBSD, OpenBSD, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Sendmail, Slackware, SLES, TurboLinux.
Severity: 4/4.
Consequences: administrator access/rights.
Provenance: internet client.
Creation date: 22/03/2006.
Revisions dates: 22/03/2006, 23/03/2006.
Identifiers: 102262, 200494, 20060302-01-P, 20060401-01-U, 6397275, 6403051, BID-17192, BID-17207, c00692635, CERTA-2002-AVI-006, CERTA-2006-AVI-124, CVE-2006-0058, DSA-1015-1, DUXKIT1000636-V40FB22-ES-20060519, emr_na-c00629555-7, FEDORA-2006-193, FEDORA-2006-194, FLSA-2006:186277, FreeBSD-SA-06:13.sendmail, HPSBTU02116, HPSBUX02108, IY82992, IY82993, IY82994, MDKSA-2006:058, NetBSD-SA2006-010, RHSA-2006:026, RHSA-2006:0264-01, RHSA-2006:0265-01, SSA:2006-081-01, SSRT061133, SSRT061135, SUSE-SA:2006:017, T64V51AB-IX-631-SENDMAIL-SSRT-061135, TLSA-2006-5, VIGILANCE-VUL-5710, VU#834865.

Description of the vulnerability

The setjmp() et longjmp() functions save and restore the stack context.

A race condition occurs in libsm library during usage of these functions, and management of an asynchronous signal. This error can be exploited using a buffer in sm_syslog() function.

This error can not occur during email emission or reception. An attacker has to connect to port 25 of server and to run a serie of SMTP commands with a precise timing.

This vulnerability leads to code execution.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Sendmail: