SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
Sendmail 'close-on-exec' File Descriptor Error Lets Local Users Interfere With SMTP Connections in Certain Cases
SecurityTracker Alert ID:  1030331
SecurityTracker URL:  http://securitytracker.com/id/1030331
CVE Reference:   CVE-2014-3956   (Links to External Site)
Updated:  Jun 11 2014
Original Entry Date:  Jun 4 2014
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 8.14.9
Description:   A vulnerability was reported in Sendmail. A local user can cause denial of service conditions.

The application does not properly set the close-on-exec flag for file descriptors. As a result, a local user that can execute an arbitrary mail delivery agent can access open file descriptors for the parent sendmail process. This can be exploited to interfere with open SMTP connections.

Impact:   A local user can interfere with open SMTP connections in certain cases.
Solution:   The vendor has issued a fix (8.14.9) [in May 2014].

The vendor's advisory is available at:

ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTES

Vendor URL:  sendmail.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 4 2014 (FreeBSD Issues Fix) Sendmail 'close-on-exec' File Descriptor Error Lets Local Users Interfere With SMTP Connections in Certain Cases
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, and 10.0.
Aug 1 2016 (HP Issues Fix) Sendmail 'close-on-exec' File Descriptor Error Lets Local Users Interfere With SMTP Connections in Certain Cases
HP has issued a fix for HP-UX 11.31.
Apr 7 2018 (IBM Issues Fix for IBM AIX) Sendmail 'close-on-exec' File Descriptor Error Lets Local Users Interfere With SMTP Connections in Certain Cases
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC