Solved

Fixing a commercial sendmail vulnerabilities

Posted on 2015-02-12
9
361 Views
Last Modified: 2015-02-28
Our VA scan reported the following vulnerabilities on our 'commercial-version'
of sendmail.  I guess it's commercial as a developer put in a GUI interface for
whitelisting/blacklisting but the underlying sendmail should still be there.

Attached Excel is the detailed sanitized scan results.

Which file do I edit or what changes do I need to make to address the
vulnerabilities below?   (pls include every command step by step including
restarting the sendmail service to make it effective) :

If a patch is needed, kindly provide the url to download the patch.  I'm
running on RHES 5.x

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
M-smtp-va.xlsx
0
Comment
Question by:sunhux
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Author Comment

by:sunhux
ID: 40605399
The version of the underlying sendmail:

# more VERSION
2.1.7
# pwd
/usr/local/sendmail/smflow

# Copyright(c) 2002, 2003, 2005, 2006 Sendmail, Inc. and its suppliers.
#       All rights reserved.
# $Id: sendmail,v 1.16 2007/06/07 01:25:23 epaull Exp $

# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.

===================some info fr the logs ======================

# grep -i version maillog
Feb  8 14:26:09 xxx sm-mta[14430]: STARTTLS=client, relay=mail.s50.au.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:25 xxx sm-mta[14689]: STARTTLS=client, relay=smtp3.hp.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Feb  8 14:26:32 xxx sm-mta[14796]: STARTTLS=client, relay=gmail-smtp-in.l.google.com.,
   version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128

=========================================

# find . -name *conf -print
./smflow-2.1/etc/snortsam.conf
./pgsql-1.0/conf
./mm-3.0/.install4j/i4jparams.conf
./smconsole-1.0/licenses/os/autoconf
./smadmin-3.3/monitor/conf
./smadmin-3.3/monitor/perconf
./smadmin-3.3/monitor/perconf/snmp.conf
./smadmin-3.3/apache/conf
./smadmin-3.3/apache/conf/httpd.conf
./smadmin-3.3/etc/cluster-fc.conf
./smadmin-3.3/etc/cluster-query.conf
./smadmin-3.3/etc/cluster-deploy.conf
./smmta-8.14/contrib/movemail.conf
./smmta-8.14/lib/sasl2/Sendmail.conf
[root@mvlsmtp01 sendmail]# pwd
/usr/local/sendmail

# more Sendmail.conf
pwcheck_method: auxprop
sasldb_path: /etc/mail/sasldb2
# pwd
/usr/local/sendmail/smmta-8.14/lib/sasl2


# service sendmail status
sendmail: status not implemented
# service sendmail
Starting sendmail MTA
sendmail MSP queue runner is already running
# service sendmail stat
Usage: sendmail {start|stop|restart}
       sendmail {start-mta|stop-mta|restart-mta}
       sendmail {start-mspq|stop-mspq|restart-mspq}
0
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 175 total points
ID: 40607074
Put the following lines in your sendmail.mc configuration file, in the LOCAL_CONFIG section:
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Then restart the sendmail server (sudo service sendmail restart).
http://bit.ly/1DLg2Cd
0
 

Author Comment

by:sunhux
ID: 40607188
In which folder sendmail.mc located?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 14

Assisted Solution

by:kenfcamp
kenfcamp earned 100 total points
ID: 40607327
0
 

Author Comment

by:sunhux
ID: 40607361
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-email-mta.html#s2-email-mta-sendmail

the above link mentions not to edit /etc/mail/sendmail.cf directly.
Is there any harm if I do so?
0
 
LVL 14

Expert Comment

by:kenfcamp
ID: 40607706
You could, "if you're careful", but it's much easier (and standard practice) to modify the sendmail.mc file and rebuild the cf file.

Remember to make a backup of the file(s) prior to modifying them. This way you'll be able to return to your previous state should there be issues w/ your configuration.

After implementing the new sendmail.cf file (built or modified), you will also need to restart your sendmail service
0
 

Author Comment

by:sunhux
ID: 40609373
Just one last query / clarification:

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Does the suggestion given by David Johnson above addresses all the reported vulnerabilities (reposted below) ?

SSL/TLS Cipher Suite Detect Anonymous/NULL Ciphers
SSL/TLS SSLv2 Detection
SSL/TLS MD5 Algorithm Certificate Signature Weakness
SSL/TLS SSLv3 CBC-mode Ciphers Fallback MitM Remote Cleartext Information
      Disclosure aka "POODLE"
SSL/TLS Cipher Suite Detect MD5
SSL/TLS Weak and Export Ciphers Detected
SSL/TLS Renegotiation Handshakes Man-in-the-Middle Plaintext Data Injection
OpenSSL: Crafted Handshake Weak Keying Material Rollback MitM Weakness
0
 
LVL 62

Assisted Solution

by:btan
btan earned 225 total points
ID: 40609443
In fact RH has a post to disable SSLv3 for Sendmail, (too bad) I did  not register to see it
https://access.redhat.com/solutions/1277743
in fact since Poodle is a protocol issue, the only means is disable it as in the commands shared already into the config. IN this case, it disallow SSL v3 and SSLv2, including the weak hash
CipherList=HIGH tells sendmail to only negotiate with ciphers that are categorized as “high” according to OpenSSL (which currently means cipher suites with key lengths larger than 128 bits and some cipher suites with 128-bit keys). Since these are always changing, it’s best to check directly with openssl documentation/resources on that.

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE disables SSLv2, SSLv3, and tells openssl/sendmail to use the server’s preferences instead of the client preferences when choosing a cipher.

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 is pretty much the same as above — don’t use SSLv2 or SSLv3 — but this time, it’s referring to client connections (outbound).
http://mikeberggren.com/post/101178147946/sendmail-sslv3

Just a note, you may even want to be specific on certain cipher and hash aglo for the "CipherList=" field using this Openssl ref for the appending the configuration string. I do suggest to explicitly exclude !RC4-SHA:!RC4-MD5 where possible as likely they are still include in HIGH cipher (128bits and above, you can check out in the SSLv3 support listing in openssl link)
https://www.openssl.org/docs/apps/ciphers.html
0
 
LVL 62

Assisted Solution

by:btan
btan earned 225 total points
ID: 40609466
We can still stay with above discussed ...you can further test with s_client(1) this way should work:
e.g. openssl s_client -connect mailhost:25 -starttls smtp -ssl3

This should result in rejected connection if your mail server is configured correctly. But thought to further share as stated in this blog http://www.michaelm.info/blog/?p=1256, that one reader highlighted
“. Note that the current version of Sendmail does not have support for OpenSSL’s SSL_OP_NO_TLS_v1_1 nor for SSL_OP_NO_TLSv1_2. These two could be quite useful and I have submitted a patch to Sendmail for these to be included.”
Subsequently, the author (at hat pt of article is sendmail-8.14.7) submitted two patches configuration and they worked from reader feedback
http://www.michaelm.info/blog/?attachment_id=1288
http://www.michaelm.info/blog/?attachment_id=1289

And further there is one for sendmail with ECDHE (why - with OpenSSL 1.0.1e. Google selects ECDHE-RSA-RC4-SHA for inbound mail) http://diario.beerensalat.info/2013/09/15/harden_your_servers.html
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now