Debian Linux Sendmail sasl-bin mail relay
| sendmail-mail-relay (17531) |  Medium Risk |
Description:
Sendmail running on certain versions of Debian Linux could allow a remote attacker to use the system as an open mail relay. The sendmail configuration script uses a fixed username or password to initialize the SASL user database, when the sasl-bin package is installed. This would allow the attacker to use the system as an open mail relay.
Consequences:
Obtain Information
Remedy:
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest sendmail package, as listed below. Refer to DSA-554-1 for more information. See References.
Debian GNU/Linux 3.0 (woody): 8.12.3-7.1 or later
References:
- Sendmail Web site: Welcome to sendmail.org.
- BID-11262: Debian GNU/Linux Sendmail Package Default SASL Password Vulnerability
- CVE-2004-0833: Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages.
- DSA-554: sendmail -- pre-set password
- SA12667: Debian sendmail sasl-bin Mail Relaying Security Issue
Platforms Affected:
- Debian Debian Linux 3.0
- Sendmail Sendmail 8.12.0
- Sendmail Sendmail 8.12.1
- Sendmail Sendmail 8.12.2
Reported:
Sep 27, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net