Executive Summary
Summary | |
---|---|
Title | Postfix: Local privilege escalation vulnerability |
Informations | |||
---|---|---|---|
Name | GLSA-200808-12 | First vendor Publication | 2008-08-14 |
Vendor | Gentoo | Last vendor Modification | 2008-08-14 |
Severity (Vendor) | High | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:H/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 6.2 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | High |
Cvss Expoit Score | 1.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Postfix incorrectly checks the ownership of a mailbox, allowing, in certain circumstances, to append data to arbitrary files on a local system with root privileges. Background Description Impact The default configuration of Gentoo Linux does not permit any kind of user privilege escalation. The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system. Workaround * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. Consequently, each one of the following workarounds is efficient. * Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership. * Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition. * Use a non-builtin Postfix delivery agent, like procmail or maildrop. * Use the maildir delivery style of Postfix ("home_mailbox=Maildir/" Concerning the second vulnerability, check the write permissions of Resolution References Availability http://security.gentoo.org/glsa/glsa-200808-12.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-200808-12.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10033 | |||
Oval ID: | oval:org.mitre.oval:def:10033 | ||
Title: | Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script. | ||
Description: | Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-2936 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17428 | |||
Oval ID: | oval:org.mitre.oval:def:17428 | ||
Title: | USN-636-1 -- postfix vulnerability | ||
Description: | Sebastian Krahmer discovered that Postfix was not correctly handling mailbox ownership when dealing with Linux's implementation of hardlinking to symlinks. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-636-1 CVE-2008-2936 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 | Product(s): | postfix |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18596 | |||
Oval ID: | oval:org.mitre.oval:def:18596 | ||
Title: | DSA-1629-1 postfix - privilege escalation | ||
Description: | Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1629-1 CVE-2008-2936 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | postfix |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20269 | |||
Oval ID: | oval:org.mitre.oval:def:20269 | ||
Title: | DSA-1629-2 postfix - privilege escalation | ||
Description: | Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1629-2 CVE-2008-2936 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | postfix |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22549 | |||
Oval ID: | oval:org.mitre.oval:def:22549 | ||
Title: | ELSA-2008:0839: postfix security update (Moderate) | ||
Description: | Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2008:0839-01 CVE-2008-2936 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | postfix |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:28256 | |||
Oval ID: | oval:org.mitre.oval:def:28256 | ||
Title: | RHSA-2008:0839 -- postfix security update (Moderate) | ||
Description: | Updated postfix packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A flaw was found in the way Postfix dereferences symbolic links. If a local user has write access to a mail spool directory with no root mailbox, it may be possible for them to append arbitrary data to files that root has write permission to. (CVE-2008-2936) Red Hat would like to thank Sebastian Krahmer for responsibly disclosing this issue. All users of postfix should upgrade to these updated packages, which contain a backported patch that resolves this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2008:0839 CESA-2008:0839-CentOS 3 CESA-2008:0839-CentOS 5 CVE-2008-2936 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 3 CentOS Linux 5 | Product(s): | postfix |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7819 | |||
Oval ID: | oval:org.mitre.oval:def:7819 | ||
Title: | DSA-1629 postfix -- programming error | ||
Description: | Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable: For a detailed treating of the issue, please refer to the upstream author's announcement. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1629 CVE-2008-2936 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | postfix |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2008-08-31 | Postfix <= 2.6-20080814 - (symlink) Local Privilege Escalation Exploit |
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for postfix CESA-2011:0422 centos4 x86_64 File : nvt/gb_CESA-2011_0422_postfix_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for postfix CESA-2011:0422 centos5 x86_64 File : nvt/gb_CESA-2011_0422_postfix_centos5_x86_64.nasl |
2011-08-09 | Name : CentOS Update for postfix CESA-2011:0422 centos5 i386 File : nvt/gb_CESA-2011_0422_postfix_centos5_i386.nasl |
2011-04-11 | Name : CentOS Update for postfix CESA-2011:0422 centos4 i386 File : nvt/gb_CESA-2011_0422_postfix_centos4_i386.nasl |
2011-04-11 | Name : RedHat Update for postfix RHSA-2011:0422-01 File : nvt/gb_RHSA-2011_0422-01_postfix.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:224-1 (postfix) File : nvt/mdksa_2009_224_1.nasl |
2009-10-13 | Name : SLES10: Security update for Postfix File : nvt/sles10_postfix.nasl |
2009-10-10 | Name : SLES9: Security update for Postfix File : nvt/sles9p5032740.nasl |
2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:224 (postfix) File : nvt/mdksa_2009_224.nasl |
2009-04-09 | Name : Mandriva Update for postfix MDVSA-2008:171 (postfix) File : nvt/gb_mandriva_MDVSA_2008_171.nasl |
2009-03-23 | Name : Ubuntu Update for postfix vulnerability USN-636-1 File : nvt/gb_ubuntu_USN_636_1.nasl |
2009-03-06 | Name : RedHat Update for postfix RHSA-2008:0839-01 File : nvt/gb_RHSA-2008_0839-01_postfix.nasl |
2009-02-27 | Name : CentOS Update for postfix CESA-2008:0839 centos3 i386 File : nvt/gb_CESA-2008_0839_postfix_centos3_i386.nasl |
2009-02-27 | Name : CentOS Update for postfix CESA-2008:0839 centos3 x86_64 File : nvt/gb_CESA-2008_0839_postfix_centos3_x86_64.nasl |
2009-02-17 | Name : Fedora Update for postfix FEDORA-2008-8593 File : nvt/gb_fedora_2008_8593_postfix_fc9.nasl |
2009-02-17 | Name : Fedora Update for postfix FEDORA-2008-8595 File : nvt/gb_fedora_2008_8595_postfix_fc8.nasl |
2009-01-23 | Name : SuSE Update for postfix SUSE-SA:2008:040 File : nvt/gb_suse_2008_040.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200808-12 (postfix) File : nvt/glsa_200808_12.nasl |
2008-09-04 | Name : Debian Security Advisory DSA 1629-1 (postfix) File : nvt/deb_1629_1.nasl |
2008-09-04 | Name : Debian Security Advisory DSA 1629-2 (postfix) File : nvt/deb_1629_2.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
47659 | Postfix Cross-user Filename Local Mail Interception |
47658 | Postfix Hardlink to Symlink Mailspool Arbitrary Content Append |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0422.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0839.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110406_postfix_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080814_postfix_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-04-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0422.nasl - Type : ACT_GATHER_INFO |
2011-04-07 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0422.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12219.nasl - Type : ACT_GATHER_INFO |
2009-08-31 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-224.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_postfix-080804.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-171.nasl - Type : ACT_GATHER_INFO |
2008-10-10 | Name : The remote Fedora host is missing a security update. File : fedora_2008-8595.nasl - Type : ACT_GATHER_INFO |
2008-10-10 | Name : The remote Fedora host is missing a security update. File : fedora_2008-8593.nasl - Type : ACT_GATHER_INFO |
2008-08-20 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-636-1.nasl - Type : ACT_GATHER_INFO |
2008-08-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1629.nasl - Type : ACT_GATHER_INFO |
2008-08-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200808-12.nasl - Type : ACT_GATHER_INFO |
2008-08-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0839.nasl - Type : ACT_GATHER_INFO |
2008-08-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0839.nasl - Type : ACT_GATHER_INFO |
2008-08-15 | Name : The remote openSUSE host is missing a security update. File : suse_postfix-5501.nasl - Type : ACT_GATHER_INFO |
2008-08-14 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_postfix-5500.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:36:02 |
|