Multiple vulnerabilities in Exim

2010-06-08T00:00:00
ID SECURITYVULNS:DOC:23995
Type securityvulns
Reporter Securityvulns
Modified 2010-06-08T00:00:00

Description

================================== Exim Mailer, multiple vulnerabilites June 3, 2010 CVE-2010-2023, CVE-2010-2024 ==================================

==Description==

Two vulnerabilities have been discovered in Exim 4, a popular mail transfer agent used on Unix-like systems (www.exim.org).

  1. When Exim is used with a world-writable mail directory with the sticky-bit set, local users may create hard links to other non-root users' files at the expected location of those users' mailboxes, causing their files to be written to upon mail delivery. This could be used to create denial-of-service conditions or potentially escalate privileges to those of targeted users. This issue has been assigned CVE-2010-2023.

  2. When MBX locking is enabled, local users may exploit a race condition to change permissions of other non-root users' files, leading to denial-of-service conditions or potentially privilege escalation, or to create new files owned by other users in unauthorized locations. This issue has been assigned CVE-2010-2024.

==Workarounds==

  1. Both of these vulnerabilities can be mitigated on Linux by making use of grsecurity (or similar) kernel extensions that enforce additional linking restrictions. grsecurity mitigates these types of race conditions by preventing users from following symbolic links owned by other users in world-writable directories with the sticky bit set, and also by preventing users from creating hard links to files they do not own. Other operating systems may enforce similar restrictions by default.

  2. The first issue can be mitigated by using a group-writable mail directory owned by a "mail" group rather than a world-writable mail directory.

  3. The second issue can be mitigated by disabling the MBX locking feature (this is already the default with many packaged releases of Exim) or by mounting the /tmp directory with options prohibiting the following of symbolic links created by other users.

==Solution==

Exim has released a new version, 4.72, available for download at ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz. Vulnerable users are advised to download and recompile from source, or request updated packages from downstream distributions.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com).

==Timeline==

5/24/10 - Reported to Exim 5/25/10 - Response from Exim 6/03/10 - Exim 4.72 released 6/03/10 - Disclosure

==References==

CVE identifiers CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues.

Exim 4.72 is available for download at: ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.bz2