From owner-freebsd-security@FreeBSD.ORG Fri Mar 24 13:56:53 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8B5D16A401; Fri, 24 Mar 2006 13:56:53 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5ADB943D45; Fri, 24 Mar 2006 13:56:53 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 952AF5CEA; Fri, 24 Mar 2006 08:56:52 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82524-07; Fri, 24 Mar 2006 08:56:50 -0500 (EST) Received: from [192.168.1.3] (pool-68-160-194-11.ny325.east.verizon.net [68.160.194.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id B4BA15C6D; Fri, 24 Mar 2006 08:56:49 -0500 (EST) Message-ID: <4423FAA7.1070705@mac.com> Date: Fri, 24 Mar 2006 08:56:55 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Ruslan Ermilov References: <200603221611.k2MGBV21010114@freefall.freebsd.org> <20060323103739.X90993@atlantis.atlantis.dp.ua> <20060324125628.GA63626@ip.net.ua> In-Reply-To: <20060324125628.GA63626@ip.net.ua> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: Dmitry Pryanishnikov , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 13:56:53 -0000 Ruslan Ermilov wrote: > On Thu, Mar 23, 2006 at 10:44:05AM +0200, Dmitry Pryanishnikov wrote: [ ... ] >> This doesn't change sendmail's identification string - it's still "8.13.1" >> on RELENG_4_11, which makes detection of unpatched systems more difficult >> to sysadmin. Wouldn't be wise to add, say, "-p1" to this string in >> version.c? >> > It depends on what you think about whether it's good or not > that it's undetectable. I prefer it to be not-detectable. Previous sendmail-based exploits involved hosts being compromised by automated worms which try their attacks against every IP they can talk to on the SMTP port, regardless of version number information displayed, or by malicious email which exploited MIME header string buffer problems, a mechanism which also paid no attention to the SMTP banner version info. If someone wants to conceal the sendmail version info, there are mechanisms in place to do so which solve that problem more effectively. If you don't want the sendmail version numbers to appear in the banner on port 25, the better solution is to add this to your sendmail.mc file: define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b; no UCE; C=US, L=NY.')dnl [ Adjust region, country code, and SMTP policy to suit your local needs. ] If you also want to conceal version information in the mail headers, either override the values of the $v and $Z macros, which are typically set like so: # Configuration version number DZ8.13.6 ...or override the Received: header line being generated by changing this: HReceived: $?sfrom $s $.$?_($?s$|from $.$_) $.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.) $.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version} ^^^^^^^ I would like the output of "sendmail -d0.1" to correctly indicate what the version actually is so I can track it, even if I felt it appropriate or necessary to conceal that information from non-local users. -- -Chuck PS: I very much wish that software would not attempt to conceal which version it actually is, because that fosters absurd situations like web browser User-agent strings ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"). That version string is obscure all right, but hardly secure.