In what marks the second critical Sendmail flaw this month, systems running the commonly used email server software are at risk of hacker attacks because of a flaw in the way the program handles long email addresses.
Sendmail does not adequately check the length of email addresses, meaning an email message with a specially crafted address can trigger a stack overflow, potentially allowing an attacker to gain control of a vulnerable Sendmail server, the Cert (the Coordination Centre) warned in an advisory notice.
Sendmail servers that aren't directly connected to the internet are also at risk, since the vulnerability is triggered by the contents of a malicious email message that can be handed on from server to server.
Sendmail is the most commonly used MTA (mail transfer agent) and handles the majority of all internet email traffic, but many vendors are distributing vulnerable versions of the program.
Sendmail and the Sendmail Consortium urge users to upgrade to Sendmail 8.12.9 or apply a patch from their chosen vendor. The problem affects all versions of Sendmail Pro, all editions of open source Sendmail prior to 8.12.9, and several incarnations of Sendmail Switch and Sendmail for NT, according to Cert.
The email address parser flaw is the second "critical" bug in Sendmail announced and patched this month. The earlier vulnerability occurred because of an error in a function that checks whether addresses in the email message header are valid. This could also allow an attacker to take over a Sendmail server, experts said.