• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Sendmail Inadequate Privilege Lowering Vulnerability

Severity: MODERATE

Description:

Sendmail is a widely used MTA often shipped with Unix systems.

Prior to version 8.12.0, the 'sendmail' executable was installed setuid root. To minimize the consequences of locally exploitable vulnerabilities in 'sendmail' (ie, users gaining root access), Sendmail was re-worked in version 8.12.0 to run with the privileges of a special non-root mail group.

One area of Sendmail that was not properly adjusted for the new privilege level was the configuration file processing component.

With Sendmail, users can specify custom configuration files at the command line. During the processing of this user-supplied data, Sendmail drops privileges completely as a security precaution. Processing glitches such as signed integer errors and other bugs in this component of sendmail are not normally security vulnerabilities (as privileges are supposed to have been completely lowered when it runs).

In version 8.12.0, the 'sendmail' utility is setgid instead of setuid. To lower privileges, the 'setgid()' system call is used. This system call does not set the saved groupid. It is therefore possible to reclaim the effective groupid if an attacker can force the process to call 'setregid()'.

This may be possible by exploiting some of the parsing bugs present in the configuration file processor.

If an attacker elevates privileges, the mail subsystem may be compromised. The attacker can then modify user mail files and the queue.

There exist possibilities for further privilege elevation once an attacker has gained control over sendmail and the queue files.

Affected Products:

• Sendmail Consortium Sendmail 8.12.0 .0

References:

• Sendmail Consortium: Support Web page for Free Sendmail
• Sendmail Consortium: Web Page for the Commercially Supported Sendmail

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.