Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4690 | GEN004620 | SV-62813r1_rule | ECSC-1 | High |
Description |
---|
Debug mode is a feature present in older versions of sendmail which, if not disabled, may allow an attacker to gain access to a system through the sendmail service. |
STIG | Date |
---|---|
Oracle Linux 5 Security Technical Implementation Guide | 2015-03-26 |
Check Text ( C-51683r1_chk ) |
---|
Check for an enabled "debug" command provided by the SMTP service. Procedure: # telnet localhost 25 debug If the command does not return a 500 error code of "command unrecognized" or a 550 error code of "access denied", this is a finding. The operating system distribution ships with sendmail Version 8.13.8 which is not vulnerable. This should never be a finding. |
Fix Text (F-53399r1_fix) |
---|
Obtain and install a newer version of the SMTP service software (sendmail or Postfix) from the operating system vendor. |