Sendmail Race Condition Vulnerability
Original release date: March 22, 2006
Last revised: --
Source: US-CERT
Systems Affected
Sendmail versions prior to 8.13.6.
Overview
A race condition in Sendmail may allow a remote attacker to execute
arbitrary code.
I. Description
Sendmail contains a race condition caused by the improper handling of
asynchronous signals. In particular, by forcing the SMTP server to
have an I/O timeout at exactly the correct instant, an attacker
may be able to execute arbitrary code with the privileges of the
Sendmail process.
Details, including statements from affected vendors are available in the
following Vulnerability Note:
VU#834865 - Sendmail contains a race condition
A race condition in Sendmail may allow a remote attacker to execute arbitrary code.
(CVE-2006-0058)
Please refer to the Sendmail MTA Security Vulnerability Advisory and the Sendmail version 8.13.6 release page for more information.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code with
the privileges of the Sendmail process. If Sendmail is running as
root, the attacker could take complete control of an affected system.
III. Solution
Upgrade Sendmail
Sendmail version 8.13.6 has been
released to correct this issue. In addition to VU#834865, Sendmail 8.13.6 addresses other security issues and potential weaknesses in the Sendmail code.
Patches to correct this issue in Sendmail versions 8.12.11 and 8.13.5 are also available.
Appendix A. References
Feedback can be directed to the US-CERT Technical Staff
Produced 2006 by US-CERT, a government organization. Terms of use
Revision History
March 22, 2006: Initial release
Mailing Lists & Feeds
Get Adobe Reader
US-CERT is part of the Department of Homeland Security