The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

The version of mailx installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2004-2771 advisory.

  - The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows     remote attackers to execute arbitrary commands via shell metacharacters in an email address.
    (CVE-2004-2771)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - mailx: command execution flaw (CVE-2004-2771, CVE-2014-7844)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote host is affected by the vulnerability described in GLSA-201804-06 (mailx: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in mailx. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary commands.
  Workaround :

    There is no known workaround at this time.

CVE-2014-7844 The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell meta characters in an email address.

CVE-2004-2771 A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).

Impact

A local attacker can cause mailx to execute arbitrary shell commands through shell meta-characters. These attacks require a trusted user with shell access to the system in question.

New mailx packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the 'mail' command :

CVE-2004-2771

mailx interprets interprets shell meta-characters in certain email addresses.

CVE-2014-7844

An unexpected feature of mailx treats syntactically valid email addresses as shell commands to execute.

Shell command execution can be re-enabled using the 'expandaddr' option.

Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the '--' separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke 'mail
-t' or 'sendmail -i -t' instead, passing the recipient addresses as part of the mail header.

For the oldstable distribution (squeeze), these problems have been fixed in version 12.4-2+deb6u1.

We recommend that you upgrade your heirloom-mailx packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated nail package fixes security vulnerabilities :

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality (CVE-2004-2771, CVE-2014-7844).

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771 , CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

Security fix for CVE-2004-2771, CVE-2014-7844

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - CVE-2004-2771 mailx: command execution flaw resolves:
    #1171175

  - resolves: #857120 fixed incorrect return code when     TMPDIR points to invalid path

  - resolves: #845098 added support for alternatives

This mailx update fixes the following security issue :

bsc#909208: shell command injection via crafted email addresses (CVE-2004-2771, CVE-2014-7844)

This mailx update fixes the following security issues :

  - Shell command injection via crafted email addresses.
    (CVE-2004-2771 / CVE-2014-7844). (bnc#909208)

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771, CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

The remote Redhat Enterprise Linux 6 / 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2014:1999 advisory.

    The mailx packages contain a mail user agent that is used to manage mail     using scripts.

    A flaw was found in the way mailx handled the parsing of email addresses.
    A syntactically valid email address could allow a local attacker to cause     mailx to execute arbitrary shell commands through shell meta-characters and     the direct command execution functionality. (CVE-2004-2771, CVE-2014-7844)

    Note: Applications using mailx to send email to addresses obtained from     untrusted sources will still remain vulnerable to other attacks if they     accept email addresses which start with - (so that they can be confused     with mailx options). To counteract this issue, this update also introduces     the -- option, which will treat the remaining command line arguments as     email addresses.

    All mailx users are advised to upgrade to these updated packages, which     contain backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2014-1999 advisory.

    [12.4-8]
    - CVE-2004-2771 mailx: command execution flaw       resolves: #1171175

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the 'mail' command :

  - CVE-2004-2771     mailx interprets shell meta-characters in certain email     addresses.

  - CVE-2014-7844     An unexpected feature of mailx treats syntactically     valid email addresses as shell commands to execute.

Shell command execution can be re-enabled using the 'expandaddr'option.

Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the-- separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invokemail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header.

Updated mailx packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The mailx packages contain a mail user agent that is used to manage mail using scripts.

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771, CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

All mailx users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

ID	Name	Product	Family	Severity
201795	CBL Mariner 2.0 Security Update: mailx (CVE-2004-2771)	Nessus	MarinerOS Local Security Checks	high
198342	RHEL 5 : mailx (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
108927	GLSA-201804-06 : mailx: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
99238	F5 Networks BIG-IP : Mailx vulnerabilities (K16945)	Nessus	F5 Networks Local Security Checks	high
89084	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : mailx (SSA:2016-062-01)	Nessus	Slackware Local Security Checks	high
82098	Debian DLA-114-1 : heirloom-mailx security update	Nessus	Debian Local Security Checks	high
80430	Mandriva Linux Security Advisory : nail (MDVSA-2015:011)	Nessus	Mandriva Local Security Checks	high
80418	Amazon Linux AMI : mailx (ALAS-2015-467)	Nessus	Amazon Linux Local Security Checks	high
80345	Fedora 19 : mailx-12.5-9.fc19 (2014-17277)	Nessus	Fedora Local Security Checks	high
80344	Fedora 20 : mailx-12.5-11.fc20 (2014-17245)	Nessus	Fedora Local Security Checks	high
80343	Fedora 21 : mailx-12.5-14.fc21 (2014-17243)	Nessus	Fedora Local Security Checks	high
80279	OracleVM 3.3 : mailx (OVMSA-2014-0086)	Nessus	OracleVM Local Security Checks	high
80274	openSUSE Security Update : mailx (openSUSE-SU-2014:1713-1)	Nessus	SuSE Local Security Checks	high
80251	SuSE 11.3 Security Update : mailx (SAT Patch Number 10096)	Nessus	SuSE Local Security Checks	high
80075	Scientific Linux Security Update : mailx on SL6.x, SL7.x i386/x86_64 (20141216)	Nessus	Scientific Linux Local Security Checks	high
80074	RHEL 6 / 7 : mailx (RHSA-2014:1999)	Nessus	Red Hat Local Security Checks	high
80071	Oracle Linux 6 / 7 : mailx (ELSA-2014-1999)	Nessus	Oracle Linux Local Security Checks	high
80058	Debian DSA-3105-1 : heirloom-mailx - security update	Nessus	Debian Local Security Checks	high
80056	CentOS 6 / 7 : mailx (CESA-2014:1999)	Nessus	CentOS Local Security Checks	high

Detections

Analytics

CVE-2004-2771

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high