IZ72539: SENDMAIL TLS SERVER VULNERABILITY CVE-2009-4565 APPLIES TO AIX 6100-05

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Ostensibly secure connections with a sendmail server
    enabled for TLS (i.e. the binary originally shipped
    and installed on AIX systems as /usr/sbin/sendmail_ssl)
    are vulnerable as described in Common Vulnerabilities
    and Exposures report CVE-2009-4565, quoted below.
    
    This applies to sendmail versions below 8.14.4;
    the version and presence of TLS support can be checked
    with either the command
      /usr/sbin/sendmail -d0.10 < /dev/null
    
    and examination of the list of "Compiled with" modules
    produced for "STARTTLS". Whether the version running is
    the one enabled for TLS can also be checked by looking
    for a message "250 STARTTLS" in the output of a
    connection to the sendmail server established by either
    of the following two ways:
    
     1) send "ehlo <your-domain-name>" followed by "quit"
     over a connection to the sendmail server host with:
       telnet <server-address>  smtp
     2) echo test | mail -v <username>@<server-address>
    
    CVE-2009-4565 notice:
    "sendmail before 8.14.4 does not properly handle a '\0'
    character in a Common Name (CN) field of an X.509
    certificate, which
    
    " (1) allows man-in-the-middle attackers to spoof
    arbitrary SSL-based SMTP servers via a crafted server
    certificate issued by a legitimate Certification
    Authority, and
    
    " (2) allows remote attackers to bypass intended access
    restrictions via a crafted client certificate issued by
    a legitimate Certification Authority," ...
    

Local fix

  • The vulnerability does not apply if TLS is not being
    supported. Switching to sendmail_nonssl would prevent
    a false assumption of a secure connection.
    

Problem summary

  • Secure connections with a sendmail server
    enabled for TLS (i.e. the binary originally shipped
    and installed on AIX systems as /usr/sbin/sendmail_ssl)
    are vulnerable as described in Common Vulnerabilities
    and Exposures report CVE-2009-4565
    

Problem conclusion

  • Code is modified to handle correctly the '0' character in
    the Common Name (CN) field of an X.509 certificate
    

Temporary fix

Comments

  • 5300-08 - use AIX APAR IZ72834
    5300-09 - use AIX APAR IZ72835
    5300-10 - use AIX APAR IZ72836
    5300-11 - use AIX APAR IZ72837
    5300-12 - use AIX APAR IZ72526
    6100-01 - use AIX APAR IZ72528
    6100-02 - use AIX APAR IZ72515
    6100-03 - use AIX APAR IZ72510
    6100-05 - use AIX APAR IZ72539
    6100-04 - use AIX APAR IZ70637
    6100-05 - use AIX APAR IZ72539
    6100-06 - use AIX APAR IZ72602
    7100-00 - use AIX APAR IZ89860
    

APAR Information

  • APAR number

    IZ72539

  • Reported component name

    AIX 610 STD EDI

  • Reported component ID

    5765G6200

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2010-03-09

  • Closed date

    2010-03-09

  • Last modified date

    2013-03-29

  • APAR is sysrouted FROM one or more of the following:

    IZ70637

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    AIX 610 STD EDI

  • Fixed component ID

    5765G6200

Applicable component levels

  • R610 PSY U825316

       UP10/04/19 I 1000

PTF to Fileset Mapping



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

AIX Enterprise Edition

Software version:

610

Operating system(s):

AIX

Reference #:

IZ72539

Modified date:

2013-03-29

Translate my page

Machine Translation

Content navigation