Solved

Fixing a commercial sendmail vulnerabilities

Posted on 2015-02-12
9
347 Views
Last Modified: 2015-02-28
Our VA scan reported the following vulnerabilities on our 'commercial-version'
of sendmail.  I guess it's commercial as a developer put in a GUI interface for
whitelisting/blacklisting but the underlying sendmail should still be there.

Attached Excel is the detailed sanitized scan results.

Which file do I edit or what changes do I need to make to address the
vulnerabilities below?   (pls include every command step by step including
restarting the sendmail service to make it effective) :

If a patch is needed, kindly provide the url to download the patch.  I'm
running on RHES 5.x

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
M-smtp-va.xlsx
0
Comment
Question by:sunhux
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Author Comment

by:sunhux
Comment Utility
The version of the underlying sendmail:

# more VERSION
2.1.7
# pwd
/usr/local/sendmail/smflow

# Copyright(c) 2002, 2003, 2005, 2006 Sendmail, Inc. and its suppliers.
#       All rights reserved.
# $Id: sendmail,v 1.16 2007/06/07 01:25:23 epaull Exp $

# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.

===================some info fr the logs ======================

# grep -i version maillog
Feb  8 14:26:09 xxx sm-mta[14430]: STARTTLS=client, relay=mail.s50.au.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:25 xxx sm-mta[14689]: STARTTLS=client, relay=smtp3.hp.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:32 xxx sm-mta[14796]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128

=========================================

# find . -name *conf -print
./smflow-2.1/etc/snortsam.conf
./pgsql-1.0/conf
./mm-3.0/.install4j/i4jparams.conf
./smconsole-1.0/licenses/os/autoconf
./smadmin-3.3/monitor/conf
./smadmin-3.3/monitor/perconf
./smadmin-3.3/monitor/perconf/snmp.conf
./smadmin-3.3/apache/conf
./smadmin-3.3/apache/conf/httpd.conf
./smadmin-3.3/etc/cluster-fc.conf
./smadmin-3.3/etc/cluster-query.conf
./smadmin-3.3/etc/cluster-deploy.conf
./smmta-8.14/contrib/movemail.conf
./smmta-8.14/lib/sasl2/Sendmail.conf
[root@mvlsmtp01 sendmail]# pwd
/usr/local/sendmail

# more Sendmail.conf
pwcheck_method: auxprop
sasldb_path: /etc/mail/sasldb2
# pwd
/usr/local/sendmail/smmta-8.14/lib/sasl2


# service sendmail status
sendmail: status not implemented
# service sendmail
Starting sendmail MTA
sendmail MSP queue runner is already running
# service sendmail stat
Usage: sendmail {start|stop|restart}
       sendmail {start-mta|stop-mta|restart-mta}
       sendmail {start-mspq|stop-mspq|restart-mspq}
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 175 total points
Comment Utility
Put the following lines in your sendmail.mc configuration file, in the LOCAL_CONFIG section:
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Then restart the sendmail server (sudo service sendmail restart).
http://bit.ly/1DLg2Cd
0
 

Author Comment

by:sunhux
Comment Utility
In which folder sendmail.mc located?
0
 
LVL 13

Assisted Solution

by:kenfcamp
kenfcamp earned 100 total points
Comment Utility
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:sunhux
Comment Utility
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-email-mta.html#s2-email-mta-sendmail

the above link mentions not to edit /etc/mail/sendmail.cf directly.
Is there any harm if I do so?
0
 
LVL 13

Expert Comment

by:kenfcamp
Comment Utility
You could, "if you're careful", but it's much easier (and standard practice) to modify the sendmail.mc file and rebuild the cf file.

Remember to make a backup of the file(s) prior to modifying them. This way you'll be able to return to your previous state should there be issues w/ your configuration.

After implementing the new sendmail.cf file (built or modified), you will also need to restart your sendmail service
0
 

Author Comment

by:sunhux
Comment Utility
Just one last query / clarification:

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Does the suggestion given by David Johnson above addresses all the reported vulnerabilities (reposted below) ?

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
0
 
LVL 61

Assisted Solution

by:btan
btan earned 225 total points
Comment Utility
In fact RH has a post to disable SSLv3 for Sendmail, (too bad) I did  not register to see it
https://access.redhat.com/solutions/1277743
in fact since Poodle is a protocol issue, the only means is disable it as in the commands shared already into the config. IN this case, it disallow SSL v3 and SSLv2, including the weak hash
CipherList=HIGH tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).
http://mikeberggren.com/post/101178147946/sendmail-sslv3

Just a note, you may even want to be specific on certain cipher and hash aglo for the "CipherList=" field using this Openssl ref for the appending the configuration string. I do suggest to explicitly exclude !RC4-SHA:!RC4-MD5 where possible as likely they are still include in HIGH cipher (128bits and above, you can check out in the SSLv3 support listing in openssl link)
https://www.openssl.org/docs/apps/ciphers.html
0
 
LVL 61

Assisted Solution

by:btan
btan earned 225 total points
Comment Utility
We can still stay with above discussed ...you can further test with s_client(1) this way should work:
e.g. openssl s_client -connect mailhost:25 -starttls smtp -ssl3

This should result in rejected connection if your mail server is configured correctly. But thought to further share as stated in this blog http://www.michaelm.info/blog/?p=1256, that one reader highlighted
“. Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included.”
Subsequently, the author (at hat pt of article is sendmail-8.14.7) submitted two patches configuration and they worked from reader feedback
http://www.michaelm.info/blog/?attachment_id=1288
http://www.michaelm.info/blog/?attachment_id=1289

And further there is one for sendmail with ECDHE (why - with OpenSSL 1.0.1e. Google selects ECDHE-RSA-RC4-SHA for inbound mail) http://diario.beerensalat.info/2013/09/15/harden_your_servers.html
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Read about achieving the basic levels of HRIS security in the workplace.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now