The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Sendmail: buffer overflow via X-Testing

Synthesis of the vulnerability 

On old Sendmail versions, an attacker can use a long X-Testing header in order to generate a denial of service and possibly to execute code.
Impacted software: Sendmail.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/05/2009.
Références of this announce: BID-34944, BID-34949, CVE-2009-1490, CVE-2009-1491, VIGILANCE-VUL-8698.

Description of the vulnerability 

A vulnerability was announced in 2009, about Sendmail versions available in 2004.

An email is composed of headers and a body. Headers can contain extensions starting by "X-".

When the first header is a long extension, Sendmail tries to split it on several lines. However, two cases can occur:
 - a computation error generates a buffer overflow
 - the end of the header can be inserted in the message body

This vulnerability can therefore lead:
 - to a denial of service or to code execution
 - to a malformed email which can bypass an antivirus.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security threat impacts software or systems such as Sendmail.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat 

Sendmail: version 8.13.2.
Version 8.13.2 is corrected:
Note: this version was published in 2004, but details about a vulnerability it corrected were only published in 2009.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer vulnerability analysis. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.