Title

The Sendmail server must have the debug feature disabled. (Cat I impact)

Discussion

Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service.

Check Content

Check for an enabled debug command provided by the SMTP service. Procedure: # telnet localhost 25 debug If the command does not return a 500 error code of command unrecognized, this is a finding. If telnet is unavailable for testing, check the version of sendmail. Run the following as a non-privileged user. $ echo \$Z | /usr/sbin/sendmail -bt -d0 If the version reported is less than 8.6, this is a finding.

Fix Text

Obtain and install a more recent version of Sendmail, which does not implement the DEBUG feature.

Additional Identifiers

Rule ID: SV-220103r603266_rule

Vulnerability ID: V-220103

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.