csg@pyramid.pyramid.com (Carl S. Gutekunst) (11/20/88)
>>Its probably in the past enough to wonder what the h&%$ SUN and other vendors >>like Mt. XINU were *thinking of* when they went into the Makefiles and enabled >>the known security risk of sendmail debug mode. >They *didn't* "[go] into the Makefiles and enable ... sendmail debug mode".... >The 4.3BSD sendmail comes ... with DEBUG defined as "1" in "conf.h".... But besides all that, sendmail DEBUG mode is extremely useful to the mail administrator. It is a *big* help when mail is going awry. The problem is not "DEBUG mode is a security hole," rather "DEBUG mode had security holes in it." Since I maintain Pyramid's sendmail (honest, MX records will be in the *next* OSx release :-)), security holes in sendmail are a personal embarrassment to me. I looked at DEBUG mode years ago, decided it was more useful than hazard- ous, and left it in. I completely missed the fact that it allowed any user to mail to a pipe (*blush*). Even had I noticed it, I cannot honestly say I would have immediately recognized the security hole it created. (Hindsight is 20/20, and all that.) Now that this hole has been so obviously exposed, all the UNIX vendors I have talked with are doing essentially the same thing: out on a rampage, looking for all kinds of other ways to blow up sendmail, then sharing the results and fixes on Spaf's worm mailing list. (Paul Vixie at DEC and Barry Shien at Encore have been terrific.) We found several more serious bugs, as well as at least three ways to propogate the worm over UUCP (not even counting Peter Honeyman's stuff). The sharing of information has been very positive, and I am highly confident that every one of the participating vendors (including Sun, OK?) will have all these fixes incorporated as soon as they possibly can. To accuse the vendors of negligence for leaving such "blatant" security holes around is pretty weak. The Internet protocols, like any network, have a lot of security holes. Vendors feel obligated to close these as much as they can, but there are only so many that can be closed per unit time. The more obscure the bug, the more likely it is to wait while more hazardous holes are fixed. The sendmail DEBUG holes are no longer obscure, and so now are being fixed, ahead of other holes. Incidentally, I'd like to reinforce Barry's observations about how UNIX did much more to cure the worm than to propogate it. Here we have engineers from AT&T, DEC, Encore, Pyramid, and Sun -- most of which are direct competitors -- sharing notes on how to solve the problem. What other environment besides UNIX fosters such cooperation? <csg>
jr@amanue.UUCP (Jim Rosenberg) (11/24/88)
In article <47851@pyramid.pyramid.com> csg@pyramid.pyramid.com (Carl S. Gutekunst) writes: >We found several more serious bugs, as well as at >least three ways to propogate the worm over UUCP (not even counting Peter >Honeyman's stuff). Oh good!! Just a flipping *LOVELY* Thanksgiving present *THIS* is! Now would you mind telling us how us binary-only licensees not on spaf's magic list will find out how to protect ourselves against *THIS* one? Please don't forget that not everyone runs HDB & not everyone has a box where the vendor even provides an upgrade to HDB. Please don't forget that there are *THOUSANDS* of sites runing some form of UNIX on very small or personal computers where the system administrator is a decent citizen deserving of entry to the information about plugging holes but who might well not qualify for security mailing lists. (A few crackers have their own private Xenix box too, no doubt, alas.) -- Jim Rosenberg CIS: 71515,124 decvax!idis! \ WELL: jer allegra! ---- pitt!amanue!jr BIX: jrosenberg uunet!cmcl2!cadre! /
whh@pbhya.PacBell.COM (Wilson Heydt) (11/25/88)
In article <432@amanue.UUCP>, jr@amanue.UUCP (Jim Rosenberg) writes: > > Oh good!! Just a flipping *LOVELY* Thanksgiving present *THIS* is! Now would > you mind telling us how us binary-only licensees not on spaf's magic list will > find out how to protect ourselves against *THIS* one? Please don't forget that > not everyone runs HDB & not everyone has a box where the vendor even provides > an upgrade to HDB. Please don't forget that there are *THOUSANDS* of sites > runing some form of UNIX on very small or personal computers where the system > administrator is a decent citizen deserving of entry to the information about > plugging holes but who might well not qualify for security mailing lists. (A > few crackers have their own private Xenix box too, no doubt, alas.) *This* person who runs a small, home, site also has access to the net thru his job--so at least I know what's going on. That's the good news. The bad news is that the machine is orphaned. Runs *very* well (for what it is), but there have been no new relaeses for the last 3 years--nor, so far as I know-- will there ever be. What do *I* do? --Hal ========================================================================= Hal Heydt | "Hafnium plus Holmium is Analyst, Pacific*Bell | one-point-five, I think." 415-645-7708 | --Dr. Jane Robinson {att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh