We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,764 News Articles

Critical Error

Sendmail flaw puts systems at risk, again

In what marks the second critical Sendmail flaw this month, systems running the commonly used email server software are at risk of hacker attacks because of a flaw in the way the program handles long email addresses.

Sendmail does not adequately check the length of email addresses, meaning an email message with a specially crafted address can trigger a stack overflow, potentially allowing an attacker to gain control of a vulnerable Sendmail server, the Cert (the Coordination Centre) warned in an advisory notice.

Sendmail servers that aren't directly connected to the internet are also at risk, since the vulnerability is triggered by the contents of a malicious email message that can be handed on from server to server.

Sendmail is the most commonly used MTA (mail transfer agent) and handles the majority of all internet email traffic, but many vendors are distributing vulnerable versions of the program.

Sendmail and the Sendmail Consortium urge users to upgrade to Sendmail 8.12.9 or apply a patch from their chosen vendor. The problem affects all versions of Sendmail Pro, all editions of open source Sendmail prior to 8.12.9, and several incarnations of Sendmail Switch and Sendmail for NT, according to Cert.

The email address parser flaw is the second "critical" bug in Sendmail announced and patched this month. The earlier vulnerability occurred because of an error in a function that checks whether addresses in the email message header are valid. This could also allow an attacker to take over a Sendmail server, experts said.


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

BBC using Glasgow 2014 Commonwealth Games to trial 4K/UHD, pan-around video, augmented video and...