sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2010-0237 advisory.

    - fix verification of SSL certificate with NUL in name (#553618, CVE-2009-4565)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2011:0262 :

Updated sendmail packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Sendmail is a Mail Transport Agent (MTA) used to send mail between machines.

A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565)

The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration.

This update also fixes the following bugs :

* Previously, sendmail did not correctly handle mail messages that had a long first header line. A line with more than 2048 characters was split, causing the part of the line exceeding the limit, as well as all of the following mail headers, to be incorrectly handled as the message body. (BZ#499450)

* When an SMTP-sender is sending mail data to sendmail, it may spool that data to a file in the mail queue. It was found that, if the SMTP-sender stopped sending data and a timeout occurred, the file may have been left stalled in the mail queue, instead of being deleted.
This update may not correct this issue for every situation and configuration. Refer to the Solution section for further information.
(BZ#434645)

* Previously, the sendmail macro MAXHOSTNAMELEN used 64 characters as the limit for the hostname length. However, in some cases, it was used against an FQDN length, which has a maximum length of 255 characters.
With this update, the MAXHOSTNAMELEN limit has been changed to 255.
(BZ#485380)

All sendmail users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, sendmail will be restarted automatically.

'sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.'.

A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565)

The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration.

This update also fixes the following bugs :

  - Previously, sendmail did not correctly handle mail     messages that had a long first header line. A line with     more than 2048 characters was split, causing the part of     the line exceeding the limit, as well as all of the     following mail headers, to be incorrectly handled as the     message body. (BZ#499450)

  - When an SMTP-sender is sending mail data to sendmail, it     may spool that data to a file in the mail queue. It was     found that, if the SMTP-sender stopped sending data and     a timeout occurred, the file may have been left stalled     in the mail queue, instead of being deleted. This update     may not correct this issue for every situation and     configuration. Refer to the Notes section for further     information. (BZ#434645)

  - Previously, the sendmail macro MAXHOSTNAMELEN used 64     characters as the limit for the hostname length.
    However, in some cases, it was used against an FQDN     length, which has a maximum length of 255 characters.
    With this update, the MAXHOSTNAMELEN limit has been     changed to 255. (BZ#485380)

After installing this update, sendmail will be restarted automatically.

Notes: As part of the fix for BZ#434645, a script called purge-mqueue is shipped with this update. It is located in the /usr/share/sendmail/ directory. The primary purpose of this script is a one-time clean up of the mqueue from stalled files that were created before the installation of this update. By default, the script removes all files from /var/spool/mqueue/ that have an atime older than one month. It requires the tmpwatch package to be installed. If you have stalled files in your mqueue you can run this script or clean them manually.
It is also possible to use this script as a cron job (for example, by copying it to /etc/cron.daily/), but it should not be needed in most cases, because this update should prevent the creation of new stalled files.

The configuration of sendmail in Scientific Linux was found to not reject the 'localhost.localdomain' domain name for email messages that come from external hosts. This could allow remote attackers to disguise spoofed messages. (CVE-2006-7176)

A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565)

Note: The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration.

This update also fixes the following bugs :

  - sendmail was unable to parse files specified by the     ServiceSwitchFile option which used a colon as a     separator. (BZ#512871)

  - sendmail incorrectly returned a zero exit code when free     space was low. (BZ#299951)

  - the sendmail manual page had a blank space between the
    -qG option and parameter. (BZ#250552)

  - the comments in the sendmail.mc file specified the wrong     path to SSL certificates. (BZ#244012)

  - the sendmail packages did not provide the MTA     capability. (BZ#494408)

The remote host is affected by the vulnerability described in GLSA-201206-30 (sendmail: X.509 NULL spoofing vulnerability)

    A vulnerability has been discovered in sendmail. Please review the CVE       identifier referenced below for details.
  Impact :

    A remote attacker might employ a specially crafted certificate to       conduct man-in-the-middle attacks on SSL connections made using sendmail.
  Workaround :

    There is no known workaround at this time.

Updated sendmail packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Sendmail is a Mail Transport Agent (MTA) used to send mail between machines.

A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565)

The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration.

This update also fixes the following bugs :

* Previously, sendmail did not correctly handle mail messages that had a long first header line. A line with more than 2048 characters was split, causing the part of the line exceeding the limit, as well as all of the following mail headers, to be incorrectly handled as the message body. (BZ#499450)

* When an SMTP-sender is sending mail data to sendmail, it may spool that data to a file in the mail queue. It was found that, if the SMTP-sender stopped sending data and a timeout occurred, the file may have been left stalled in the mail queue, instead of being deleted.
This update may not correct this issue for every situation and configuration. Refer to the Solution section for further information.
(BZ#434645)

* Previously, the sendmail macro MAXHOSTNAMELEN used 64 characters as the limit for the hostname length. However, in some cases, it was used against an FQDN length, which has a maximum length of 255 characters.
With this update, the MAXHOSTNAMELEN limit has been changed to 255.
(BZ#485380)

All sendmail users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, sendmail will be restarted automatically.

This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5)

This new version of sendmail fixes security bug - handling of bogus certificates with NULLs in CNs. Also many other bugs have been fixed, for complete list please see: http://www.sendmail.org/releases/8.14.4

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated sendmail packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver mail from one machine to another. Sendmail is not a client program, but rather a behind-the-scenes daemon that moves email over networks or the Internet to its final destination.

The configuration of sendmail in Red Hat Enterprise Linux was found to not reject the 'localhost.localdomain' domain name for email messages that come from external hosts. This could allow remote attackers to disguise spoofed messages. (CVE-2006-7176)

A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565)

Note: The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration.

This update also fixes the following bugs :

* sendmail was unable to parse files specified by the ServiceSwitchFile option which used a colon as a separator.
(BZ#512871)

* sendmail incorrectly returned a zero exit code when free space was low. (BZ#299951)

* the sendmail manual page had a blank space between the -qG option and parameter. (BZ#250552)

* the comments in the sendmail.mc file specified the wrong path to SSL certificates. (BZ#244012)

* the sendmail packages did not provide the MTA capability.
(BZ#494408)

All users of sendmail are advised to upgrade to these updated packages, which resolve these issues.

It was discovered that sendmail, a Mail Transport Agent, does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate.

This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority.

A security vulnerability has been identified and fixed in sendmail :

sendmail before 8.14.4 does not properly handle a '\0' (NUL) character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-4565).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

This update provides a fix for this vulnerability.

The remote mail server is running a version of Sendmail earlier than 8.14.4.  Such versions are potentially affected by a flaw that my allow an attacker to spoof SSL certificates by using a NULL character in certain certificate fields.

The remote mail server is running a version of Sendmail earlier than 8.14.4. Such versions are reportedly affected by a flaw that may allow an attacker to spoof SSL certificates by using a NULL character in certain certificate fields.

A remote attacker may exploit this to perform a man-in-the-middle attack.

ID	Name	Product	Family	Severity
181057	Oracle Linux 5 : sendmail (ELSA-2010-0237)	Nessus	Oracle Linux Local Security Checks	medium
68203	Oracle Linux 4 : sendmail (ELSA-2011-0262)	Nessus	Oracle Linux Local Security Checks	high
63813	AIX 5.3 TL 11 : sendmail (IZ72837)	Nessus	AIX Local Security Checks	high
63812	AIX 5.3 TL 10 : sendmail (IZ72836)	Nessus	AIX Local Security Checks	high
63811	AIX 5.3 TL 9 : sendmail (IZ72835)	Nessus	AIX Local Security Checks	high
63810	AIX 5.3 TL 8 : sendmail (IZ72834)	Nessus	AIX Local Security Checks	high
63809	AIX 6.1 TL 1 : sendmail (IZ72528)	Nessus	AIX Local Security Checks	high
63808	AIX 6.1 TL 2 : sendmail (IZ72515)	Nessus	AIX Local Security Checks	high
63807	AIX 6.1 TL 3 : sendmail (IZ72510)	Nessus	AIX Local Security Checks	high
63799	AIX 6.1 TL 4 : sendmail (IZ70637)	Nessus	AIX Local Security Checks	high
60962	Scientific Linux Security Update : sendmail on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60774	Scientific Linux Security Update : sendmail on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59703	GLSA-201206-30 : sendmail: X.509 NULL spoofing vulnerability	Nessus	Gentoo Local Security Checks	high
53535	RHEL 4 : sendmail (RHSA-2011:0262)	Nessus	Red Hat Local Security Checks	high
49924	SuSE 10 Security Update : sendmail (ZYPP Patch Number 6860)	Nessus	SuSE Local Security Checks	high
47389	Fedora 12 : sendmail-8.14.4-3.fc12 (2010-5470)	Nessus	Fedora Local Security Checks	high
47387	Fedora 11 : sendmail-8.14.4-3.fc11 (2010-5399)	Nessus	Fedora Local Security Checks	high
46286	RHEL 5 : sendmail (RHSA-2010:0237)	Nessus	Red Hat Local Security Checks	high
44958	SuSE9 Security Update : sendmail (YOU Patch Number 12590)	Nessus	SuSE Local Security Checks	high
44935	SuSE 10 Security Update : sendmail (ZYPP Patch Number 6859)	Nessus	SuSE Local Security Checks	high
44933	SuSE 11 Security Update : sendmail (SAT Patch Number 2021)	Nessus	SuSE Local Security Checks	high
44932	openSUSE Security Update : rmail (rmail-2012)	Nessus	SuSE Local Security Checks	high
44931	openSUSE Security Update : rmail (rmail-2012)	Nessus	SuSE Local Security Checks	high
44930	openSUSE Security Update : rmail (rmail-2012)	Nessus	SuSE Local Security Checks	high
44849	Debian DSA-1985-1 : sendmail - insufficient input validation	Nessus	Debian Local Security Checks	high
43867	Mandriva Linux Security Advisory : sendmail (MDVSA-2010:003)	Nessus	Mandriva Local Security Checks	high
5293	Sendmail < 8.14.4 SSL Certificate NULL Character Spoofing	Nessus Network Monitor	SMTP Servers	medium
43637	Sendmail < 8.14.4 SSL Certificate NULL Character Spoofing	Nessus	SMTP problems	high

Detections

Analytics

CVE-2009-4565

medium

Tenable Plugins

medium

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

high