| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.0 | $0-$5k | 0.00 |
A vulnerability has been found in Eric Allman Sendmail (Mail Server Software) (affected version not known) and classified as critical. This vulnerability affects some unknown functionality of the component WIZ Command. The manipulation with an unknown input leads to a privileges management vulnerability. The CWE definition for the vulnerability is CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
sendmail wiz command enabled allowing root access.
The weakness was released 09/30/1993 as CA-1990-11 as confirmed advisory (CERT.org). The advisory is available at cert.org. This vulnerability was named CVE-1999-0145. Local access is required to approach this attack. No form of authentication is required for a successful exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 06/23/2021). This vulnerability is assigned to T1068 by the MITRE ATT&CK project. This vulnerability has a historic impact due to its background and reception.
As 0-day the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 10247 (Sendmail DEBUG/WIZ Remote Command Execution), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SMTP problems.
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (131) and Tenable (10247). Additional details are provided at cert.org. Entry connected to this vulnerability is available at 13611.
Product
Type
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.4VulDB Meta Temp Score: 8.0
VulDB Base Score: 8.4
VulDB Temp Score: 8.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Privileges managementCWE: CWE-269 / CWE-266
ATT&CK: T1068
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 10247
Nessus Name: Sendmail DEBUG/WIZ Remote Command Execution
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 16024
OpenVAS Name: Sendmail WIZ
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
Timeline
09/30/1993 🔍09/30/1993 🔍
09/30/1993 🔍
01/19/2003 🔍
06/17/2014 🔍
06/23/2021 🔍
Sources
Advisory: CA-1990-11Status: Confirmed
CVE: CVE-1999-0145 (🔍)
X-Force: 131
Vulnerability Center: 660 - Sendmail WIZ Default Configuration Allows Root Access, High
SecurityFocus: 2897
Misc.: 🔍
See also: 🔍
Entry
Created: 06/17/2014 12:51Updated: 06/23/2021 01:13
Changes: 06/17/2014 12:51 (63), 07/03/2017 09:11 (9), 06/23/2021 01:13 (3)
Complete: 🔍
The information about the advisory is confusing. Release date is 09/30/1993 but the advisory is from 1990 (CA-1999-11). The 1990 advisory for sendmail was CA-1990-01, although it is not available in the document (WTF what does CERT do?!) see here: https://resources.sei.cmu.edu/asset_files/whitepaper/1999_019_001_496240.pdf
Also, any "historical" CERT advisories are now available at https://resources.sei.cmu.edu/library/results.cfm, meaning links to advisories like CA-1990-11 or CA-1990-01 in VULDB do not work anymore.
A detailed technical documentation of the vulnerability can be found here: http://securitydigest.org/unix/archive/010 (however confusing because that means WIZ was known since 1985)
*** CVSS2 Score ***
I don't understand why some sources gave this vulnerability the AV:L that VULDB has also scored. The attack seemed to be possible via network. My understanding is that WIZ and DEBUG both have the same impact and sendmail DEBUG was used by MORRIS WORM in 1988. Very confusing is it when reviewing multiple sources. For example OPENVAS (OPENVAS:136141256231016024 => https://vulners.com/openvas/OPENVAS:136141256231016024) does attribute AV:L but then writes in the description that it allows a remote attacker to spawn a shell (I'm not sure about the attributed root access, I believe it will spawn a shell on the user that runs sendmail only). Also the script itself looks like it would perform a network-based check. Hence, I would follow Tenable and score this a 10 with AV:N.
*** VULNERABLE VERSION ***
According to https://vulners.com/cve/CVE-1999-0095
Version 5.58 or below. However, I tried to find the source code for 5.58 but couldn't and according to Wikipedia there was never a version below sendmail 8 (?!)