IT departments suffered two serious vulnerabilities in enterprise-grade open source software systems last week. Top of the list was a newly reported vulnerability in Sendmail, which is a widely used mail transport agent (MTA). The second vulnerability was found in Snort, a popular open-source intrusion detection system (IDS).

Last week showed how quickly news of vulnerabilities can be exploited to produce software that wreaks havoc on the Net. Within 24 hours of the problems being made public, an easy-to-use exploit program for the Sendmail vulnerability was posted on the Bugtraq mailing list. According to Bugtraq, default installations of Sendmail and Red Hat Linux are not vulnerable to this particular exploit, but firms that have compiled Sendmail for use with Red Hat 7.1, 72 or 7.3 are vulnerable.

Bugtraq also warned that hackers may be working on alternative exploit software that could attack other versions of Sendmail. According to Sendmail, all versions predating the 8.12.8 version issued last week may be affected.

Given that just about every firm runs an email system, the Sendmail vulnerability is potentially the most serious problem for some time. Dan Ingevaldson of Internet Security Systems said, "The Sendmail vulnerability is the most severe that our team has ever discovered. It affects a critical service that must be exposed to the Internet, and it cannot be blocked by firewalls."

The Sendmail flaw is exploited simply by sending a suitably crafted email to a Sendmail server. MTAs that are not vulnerable will simply forward such emails onto their final destination unless they have been specifically patched to drop them. While an organisation's public-facing email servers may be closely monitored and well maintained, there is a risk that internal ones may not be so well managed and could still be attacked by exploiting this flaw.

Experts warned that even if an organisation does not use Sendmail as its primary mail system, the open-source MTA may still be used to route mail internally.

Firms can guard against problems by upgrading to the latest version, or they could use an alternative MTA that is not affected by this flaw.

Although Snort is not as widely used as Sendmail, its vulnerability may also be very far-reaching. Ingevaldson said that because Snort is free to use, it is likely to be used by many firms that also run a commercial IDS. Companies typically locate devices running Snort sensors at many points on a LAN, and so firms using Snort will need time to clear the vulnerable versions from all their systems. In the interim, systems can be reconfigured to avoid this vulnerability, but doing so compromises the effectiveness of Snort's monitoring.

Have your say: reply to IT Week