Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23995
HistoryJun 08, 2010 - 12:00 a.m.

Multiple vulnerabilities in Exim

2010-06-0800:00:00
vulners.com
6

==================================
Exim Mailer, multiple vulnerabilites
June 3, 2010
CVE-2010-2023, CVE-2010-2024

==Description==

Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).

  1. When Exim is used with a world-writable mail directory with the sticky-bit
    set, local users may create hard links to other non-root users' files at the
    expected location of those users' mailboxes, causing their files to be written
    to upon mail delivery. This could be used to create denial-of-service
    conditions or potentially escalate privileges to those of targeted users. This
    issue has been assigned CVE-2010-2023.

  2. When MBX locking is enabled, local users may exploit a race condition to
    change permissions of other non-root users' files, leading to denial-of-service
    conditions or potentially privilege escalation, or to create new files owned by
    other users in unauthorized locations. This issue has been assigned
    CVE-2010-2024.

==Workarounds==

  1. Both of these vulnerabilities can be mitigated on Linux by making use of
    grsecurity (or similar) kernel extensions that enforce additional linking
    restrictions. grsecurity mitigates these types of race conditions by
    preventing users from following symbolic links owned by other users in
    world-writable directories with the sticky bit set, and also by preventing
    users from creating hard links to files they do not own. Other operating
    systems may enforce similar restrictions by default.

  2. The first issue can be mitigated by using a group-writable mail directory
    owned by a "mail" group rather than a world-writable mail directory.

  3. The second issue can be mitigated by disabling the MBX locking feature (this
    is already the default with many packaged releases of Exim) or by mounting the
    /tmp directory with options prohibiting the following of symbolic links created
    by other users.

==Solution==

Exim has released a new version, 4.72, available for download at
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz. Vulnerable users are
advised to download and recompile from source, or request updated packages from
downstream distributions.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
([email protected]).

==Timeline==

5/24/10 - Reported to Exim
5/25/10 - Response from Exim
6/03/10 - Exim 4.72 released
6/03/10 - Disclosure

==References==

CVE identifiers CVE-2010-2023 and CVE-2010-2024 have been assigned to these
issues.

Exim 4.72 is available for download at:
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.bz2

Related for SECURITYVULNS:DOC:23995