| Front Page | News Headlines | Technical Headlines | Planning Features | Advanced Search |
Click for Quantum Software Page News Icon

April 2003

Sendmail security bugs prompt patches

CERT warnings on security breaches surrounding the mail transport engine Sendmail, which is now included in HP 3000 operating environments, have prompted a pair of patches to repair the holes. Sendmail’s security problems have appeared across many operating systems; the holes in HP-UX can give unauthorized users access to the root directory, as well as permitting hackers to execute code on HP 9000 systems.

HP’s Mark Bixby, who ported the software to MPE/iX, reported that “The most that will happen on MPE is a process abort. You will not experience the execution of arbitrary hacker code.” Bixby has created a version 8.12.1 A.01.02 of Sendmail for the 3000 and reports that the patches SMLHD15A for MPE/iX 7.0 and SMLHD16A for MPE/iX 7.5 have been issued by HP to fix the problem. The security problem described at www.cert.org/advisories/CA-2003-07.html “manifests itself on MPE as more of an annoying denial of service issue, rather than a nasty execution of arbitrary hacker code issue,” Bixby said.

HP 3000 managers running unsupported versions of Sendmail on earlier versions of MPE should “just start from a clean slate with the full SMLGDT8A patch,” Bixby reports, “which despite being officially for 7.0, will install just fine on 6.0 and 6.5.”

HP support engineer James Hofmeister noted that MPE’s design makes the HP 3000 more secure against this kind of hacker attack. “A number of MPE features protect [it] from exploitation of hackers,” he said in an Internet posting. “MPE has a barrier between code objects and data objects. MPE does not support modifiable code objects. MPE has a barrier between process stack and system objects. MPE does not support execution of objects within the buffer manager.”

Hofmeister also pointed out that because MPE does not implement a root logon, and that MPE trap handlers are unique to MPE, the operating system has additional protection. Hackers would need “significant MPE internals knowledge to set a trap handler to run alternate code. The concern for this CERT for Sendmail on MPE systems is the premature termination of Sendmail processes. This can be avoided by installing the recommended patches.”


Copyright The 3000 NewsWire. All rights reserved.