IBM Support

IZ72835: SENDMAIL TLS SERVER VULNERABILITY CVE-2009-4565 APPLIES TO AIX 5300-09

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Ostensibly secure connections with a sendmail server
    enabled for TLS (i.e. the binary originally shipped
    and installed on AIX systems as /usr/sbin/sendmail_ssl)
    are vulnerable as described in Common Vulnerabilities
    and Exposures report CVE-2009-4565, quoted below.
    
    This applies to sendmail versions below 8.14.4;
    the version and presence of TLS support can be checked
    with either the command
      /usr/sbin/sendmail -d0.10 < /dev/null
    
    and examination of the list of "Compiled with" modules
    produced for "STARTTLS". Whether the version running is
    the one enabled for TLS can also be checked by looking
    for a message "250 STARTTLS" in the output of a
    connection to the sendmail server established by either
    of the following two ways:
    
     1) send "ehlo <your-domain-name>" followed by "quit"
     over a connection to the sendmail server host with:
       telnet <server-address>  smtp
     2) echo test | mail -v <username>@<server-address>
    
    CVE-2009-4565 notice:
    "sendmail before 8.14.4 does not properly handle a '\0'
    character in a Common Name (CN) field of an X.509
    certificate, which
    
    " (1) allows man-in-the-middle attackers to spoof
    arbitrary SSL-based SMTP servers via a crafted server
    certificate issued by a legitimate Certification
    Authority, and
    
    " (2) allows remote attackers to bypass intended access
    restrictions via a crafted client certificate issued by
    a legitimate Certification Authority," ...
    

Local fix

  • The vulnerability does not apply if TLS is not being
    supported. Switching to sendmail_nonssl would prevent
    a false assumption of a secure connection.
    

Problem summary

  • Secure connections with a sendmail server
    enabled for TLS (i.e. the binary originally shipped
    and installed on AIX systems as /usr/sbin/sendmail_ssl)
    are vulnerable as described in Common Vulnerabilities
    and Exposures report CVE-2009-4565
    

Problem conclusion

  • Code is modified to handle correctly the '0' character in
    the Common Name (CN) field of an X.509 certificate
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ72835

  • Reported component name

    AIX 5.3

  • Reported component ID

    5765G0300

  • Reported release

    530

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2010-03-12

  • Closed date

    2010-03-12

  • Last modified date

    2013-03-29

  • APAR is sysrouted FROM one or more of the following:

    IZ70637

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    AIX 5.3

  • Fixed component ID

    5765G0300

Applicable component levels

  • R530 PSY U830255

       UP10/05/18 I 1000

PTF to Fileset Mapping

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG11P","label":"APARs - AIX 5.3 environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"530","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
29 March 2013