Executive Summary
Summary | |
---|---|
Title | Exim alternate configuration privilege escalation vulnerability |
Informations | |||
---|---|---|---|
Name | VU#758489 | First vendor Publication | 2010-12-13 |
Vendor | VU-CERT | Last vendor Modification | 2010-12-13 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 6.9 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#758489Exim alternate configuration privilege escalation vulnerabilityOverviewA vulnerability in the way that the Exim mail server handles configuration files may allow a local attacker to gain escalated privileges on an affected system.I. DescriptionExim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. If Exim is built without specifying the ALT_CONFIG_ROOT_ONLY configuration option, then the Exim user can invoke Exim with an arbitrary configuration file. The Exim developers note that this option is unspecified by default. Consequently, any ${run...} directives specified in that configuration file will be executed as root.Note: this vulnerability has been reported being exploited in the wild. Ensure that Exim is built with the ALT_CONFIG_ROOT_ONLY option enabled
Referenceshttp://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html This vulnerability was discovered as a result of its exploitation in the wild. Sergey Kononenko provided confirmation and public analysis. This document was written by Chad R Dougherty.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/758489 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12720 | |||
Oval ID: | oval:org.mitre.oval:def:12720 | ||
Title: | DSA-2131-1 exim4 -- arbitrary code execution | ||
Description: | Several vulnerabilities have been found in exim4 that allow a remote attacker to execute arbitrary code as root user. Exploits for these issues have been seen in the wild. This update fixes a memory corruption issue that allows a remote attacker to execute arbitrary code as the Debian-exim user. A fix for an additional issue that allows the Debian-exim user to obtain root privileges is currently being checked for compatibility issues. It is not yet included in this upgrade but will released soon in an update to this advisory. For the stable distribution, this problem has been fixed in version 4.69-9+lenny1. This advisory only contains the packages for the alpha, amd64, hppa, i386, ia64, powerpc, and s390 architectures. The packages for the arm, armel, mips, mipsel, and sparc architectures will be released as soon as they are built. For the testing distribution and the unstable distribution, this problem has been fixed in version 4.70-1. We strongly recommend that you upgrade your exim4 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2131-1 CVE-2010-4344 CVE-2010-4345 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | exim4 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21735 | |||
Oval ID: | oval:org.mitre.oval:def:21735 | ||
Title: | RHSA-2011:0153: exim security update (Moderate) | ||
Description: | Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0153-01 CESA-2011:0153 CVE-2010-4345 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | exim |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22839 | |||
Oval ID: | oval:org.mitre.oval:def:22839 | ||
Title: | ELSA-2011:0153: exim security update (Moderate) | ||
Description: | Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0153-01 CVE-2010-4345 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | exim |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2010-12-16 | Exim4 <= 4.69 string_format Function Heap Buffer Overflow |
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for exim CESA-2011:0153 centos4 x86_64 File : nvt/gb_CESA-2011_0153_exim_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for exim CESA-2011:0153 centos5 x86_64 File : nvt/gb_CESA-2011_0153_exim_centos5_x86_64.nasl |
2011-08-09 | Name : CentOS Update for exim CESA-2011:0153 centos5 i386 File : nvt/gb_CESA-2011_0153_exim_centos5_i386.nasl |
2011-02-11 | Name : Ubuntu Update for exim4 vulnerabilities USN-1060-1 File : nvt/gb_ubuntu_USN_1060_1.nasl |
2011-01-31 | Name : CentOS Update for exim CESA-2011:0153 centos4 i386 File : nvt/gb_CESA-2011_0153_exim_centos4_i386.nasl |
2011-01-24 | Name : FreeBSD Ports: exim File : nvt/freebsd_exim1.nasl |
2011-01-21 | Name : RedHat Update for exim RHSA-2011:0153-01 File : nvt/gb_RHSA-2011_0153-01_exim.nasl |
2011-01-04 | Name : SuSE Update for exim SUSE-SA:2010:059 File : nvt/gb_suse_2010_059.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69860 | Exim exim User Account Configuration File Directive Local Privilege Escalation Exim contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when an attacker leverages the ability of an exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, allowing a local attacker to gain root privileges. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_exim-101211.nasl - Type : ACT_GATHER_INFO |
2014-01-28 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-32.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0153.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110117_exim_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_exim-101211.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_exim-101211.nasl - Type : ACT_GATHER_INFO |
2011-02-11 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1060-1.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2154.nasl - Type : ACT_GATHER_INFO |
2011-01-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0153.nasl - Type : ACT_GATHER_INFO |
2011-01-18 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0153.nasl - Type : ACT_GATHER_INFO |
2011-01-10 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_e4fcf020044711e0becc0022156e8794.nasl - Type : ACT_GATHER_INFO |
2010-12-15 | Name : The remote service has a buffer overflow. File : exim_string_vformat.nasl - Type : ACT_ATTACK |
2010-12-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2131.nasl - Type : ACT_GATHER_INFO |