Unix, Linux Admins Urged To Upgrade Sendmail Security
L33tdawg: Right, well this news is a little old (about 2 1/2 maybe 3 days old), but all the same, perhaps some of you might not have heard of it yet.
Security experts and vendors of Linux and other Unix-like operating systems are urging network administrators to replace some versions of popular e-mail server software known as Sendmail, because the most recent open-source versions can provide a doorway for local hackers.
Since malicious individuals would need to gain command-line access to a server in order to exploit the vulnerability, the problem is greatest for organizations such as Internet service providers or universities that regularly provide shell access to users....
Unix, Linux Admins Urged To Upgrade Sendmail Security
By Steven Bonisteel, Newsbytes
Cade Cairns, a member of the Security Focus Threat Analysis Team, reported late last week that hackers with access to run Sendmail from the command line of vulnerable systems could possibly gain administrator access to the server by supplying specially crafted commands.
Since then, others have written software to demonstrate how hackers could automate the process of exploiting the vulnerability, which exists when Sendmail is commanded to run in "debug" mode.
"To exploit this vulnerability, an attacker must have the ability to pass command-line arguments to the Sendmail program," Cairns told Newsbytes. "Therefore, the attack must be performed using some sort of interface allowing system commands to be issued - typically a shell, or perhaps even through a web interface of some sort."
Click here to continue reading this article at NewsBytes
More information on the issue is available here:
Security Focus
The Sendmail Consortium Web site is here:
www.sendmail.org
