IBM Support

IZ89860: SENDMAIL TLS SERVER VULNERABILITY CVE-2009-4565 APPLIES TO AIX 7100-00

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Ostensibly secure connections with a sendmail server
    enabled for TLS (i.e. the binary originally shipped
    and installed on AIX systems as /usr/sbin/sendmail_ssl)
    are vulnerable as described in Common Vulnerabilities
    and Exposures report CVE-2009-4565, quoted below.
    
    This applies to sendmail versions below 8.14.4;
    the version and presence of TLS support can be checked
    with either the command
      /usr/sbin/sendmail -d0.10 < /dev/null
    
    and examination of the list of "Compiled with" modules
    produced for "STARTTLS". Whether the version running is
    the one enabled for TLS can also be checked by looking
    for a message "250 STARTTLS" in the output of a
    connection to the sendmail server established by either
    of the following two ways:
    
     1) send "ehlo <your-domain-name>" followed by "quit"
     over a connection to the sendmail server host with:
       telnet <server-address>  smtp
     2) echo test | mail -v <username>@<server-address>
    
    CVE-2009-4565 notice:
    "sendmail before 8.14.4 does not properly handle a '\0'
    character in a Common Name (CN) field of an X.509
    certificate, which
    
    " (1) allows man-in-the-middle attackers to spoof
    arbitrary SSL-based SMTP servers via a crafted server
    certificate issued by a legitimate Certification
    Authority, and
    
    " (2) allows remote attackers to bypass intended access
    restrictions via a crafted client certificate issued by
    a legitimate Certification Authority," ...
    

Local fix

  • The vulnerability does not apply if TLS is not being
    supported. Switching to sendmail_nonssl would prevent
    a false assumption of a secure connection.
    

Problem summary

  • Secure connections with a sendmail server
    enabled for TLS (i.e. the binary originally shipped
    and installed on AIX systems as /usr/sbin/sendmail_ssl)
    are vulnerable as described in Common Vulnerabilities
    and Exposures report CVE-2009-4565
    

Problem conclusion

  • Code is modified to handle correctly the '0' character in
    the Common Name (CN) field of an X.509 certificate
    

Temporary fix

  • 710
    

Comments

APAR Information

  • APAR number

    IZ89860

  • Reported component name

    AIX V7.1

  • Reported component ID

    5765H4000

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2010-11-30

  • Closed date

    2010-11-30

  • Last modified date

    2013-03-29

  • APAR is sysrouted FROM one or more of the following:

    IZ70637

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    AIX V7.1

  • Fixed component ID

    5765H4000

Applicable component levels

  • R710 PSY U833143

       UP11/05/11 I 1000

PTF to Fileset Mapping

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSMV87","label":"AIX 6.1 Enterprise Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSMVAX","label":"AIX Express Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG11R","label":"AIX 7.1 HIPERS, APARs and Fixes"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
29 March 2013