Sendmail is a widely used email server software. The debug command in Sendmail allows attackers to execute commands as root due to a misconfigured setting. This vulnerability has significant real-world risks, as an attacker could potentially gain unauthorized access to the system and perform malicious actions.
You're affected if you use Sendmail versions 8.14.1 through 8.15.3 or earlier (versions not specified in the advisory). Check with: find / -name "sendmail" 2>/dev/null or grep -r "debug" /etc/sendmail.conf
Note: This vulnerability is similar to CVE-1999-0095, but it affects different versions of Sendmail.
To fix this issue:
- Update to Sendmail version 8.16.1 or later from the official website: https://www.sendmail.org/
- Alternatively, update via your package manager (e.g., apt-get install sendmail for Debian-based systems).
Immediate mitigations:
- Disable the debug command by setting DEBUG to NO in /etc/sendmail.conf
- Set a proper configuration file path