Red Hat Bugzilla – Bug 171838
CVE-2006-7176 sendmail allows external mail with from address xxx@localhost.localdomain
Last modified: 2007-11-30 17:07:21 EST
Description of problem: When an external SMTP session is established, and an address of "xxx@localhost.localdomain" is specified on the MAIL FROM: line, sendmail blindly accepts this as valid. Note that "xxx@localhost" is rejected by sendmail. Version-Release number of selected component (if applicable): sendmail-8.13.1-2 How reproducible: Always Steps to Reproduce: 1. from a remote host, telnet host 25 2. EHLO foobar.redhat.com 3. MAIL FROM: <xxx@localhost.localdomain> Actual results: 220 vaccine1.NoDak.edu ESMTP Sendmail 8.13.1/8.13.1; Wed, 26 Oct 2005 16:17:42 - 0500 EHLO nate.cc.ndsu.nodak.edu 250-vaccine1.NoDak.edu Hello nate.cc.ndsu.NoDak.edu [134.129.106.131], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 26214400 250-DSN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL FROM: root@localhost 553 5.5.4 root@localhost... Real domain name required for sender address MAIL FROM: root@localhost.localdomain 250 2.1.0 root@localhost.localdomain... Sender ok Expected results: 220 vaccine1.NoDak.edu ESMTP Sendmail 8.13.1/8.13.1; Wed, 26 Oct 2005 16:17:42 - 0500 EHLO nate.cc.ndsu.nodak.edu 250-vaccine1.NoDak.edu Hello nate.cc.ndsu.NoDak.edu [134.129.106.131], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 26214400 250-DSN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL FROM: root@localhost 553 5.5.4 root@localhost... Real domain name required for sender address MAIL FROM: root@localhost.localdomain 553 5.5.4 root@localhost.localdomain... Real domain name required for sender address Additional info: In /etc/mail/sendmail.cf, checks are made for various "localhost" addresses. "localhost.localdomain" is missing: # handle case of @localhost on address R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost > The following line wants adding to this: R<@> < $* @ localhost.localdomain > $: < ? $&{client_name} > < $1 @ localhost.localdomain > Note that localhost.localdomain still remains valid for local use, but not for remote SMTP use.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
I'm having a hard time understanding how this is a security vulnerability. What can be gained by sending mail as root@localhost.localdomain?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0252.html