Internet Security Systems said it has uncovered a flaw in the most recent version of the Sendmail open-source code used primarily in Unix-based and some Windows-based e-mail gateways.
The flaw in the Sendmail SMTP server daemon version 8.13.5 is called a "signal race vulnerability," and it allows remote attacker to craft malicious code to wholly subvert the Sendmail-based server. The Sendmail Consortium has worked with ISS to come up with a patch for the affected Sendmail version. The Sendmail Consortium is strongly advising IT administrators to upgrade to a new version, Sendmail 8.13.6, but the patch is available separately as well.
Alain Sergile, ISS technical product manager for X-Force, the division at ISS which researches security threats, said the problem discovered in Sendmail is a variant on the buffer-overflow vulnerabilities seen many times in the past that allow attackers to subvert software.
In this case, the attack manipulates signaling code to the server in order to gain complete control over the affected host.
Sergile said an attack based on the signal-race vulnerability is not necessarily a simple attack to carry out, and no attack code for this purpose is known to exist. But now that the vulnerability is publicly known, hackers are certainly likely to be looking at finding ways to exploit it.
"The signal-race vulnerability is not a trivial exploit to do," he noted, "so managers have some time here to make the necessary changes."
ISS has also made available code to work as a "virtual patch" in its Proventia line of intrusion-prevention systems and other products to prevent attacks based on the signal-race vulnerability.
