Main Vulnerability Database Vulnerabilities #VU67946

#VU67946 Security features bypass in Sendmail

Published: October 5, 2022

Vulnerability identifier: #VU67946

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Sendmail

Software vendor:
Proofpoint

Description

The vulnerability allows a remote attacker to disable TLS encryption.

The vulnerability exists due to an error related to SMTP session reuse. If sendmail tries to reuse an SMTP session which had already been closed by the server, then the connection cache can have invalid information about the session. As a result, STARTTLS is never used for the new session, even if offered by the peer.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=1313508
https://bugzilla.suse.com/show_bug.cgi?id=1164084

#VU67946 Security features bypass in Sendmail

Description

Remediation

External links

Please verify you're human