Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.

This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively.

1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.

2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021)

Additionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.

2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:025 advisory.

    Exim is a mail transport agent (MTA) developed at the University of     Cambridge for use on Unix systems connected to the Internet.

    A buffer overflow was discovered in the spa_base64_to_bits function in     Exim, as originally obtained from Samba code.  If SPA authentication is     enabled, a remote attacker may be able to exploit this vulnerability to     execute arbitrary code as the 'exim' user.  The Common Vulnerabilities and     Exposures project (cve.mitre.org) has assigned the name CAN-2005-0022 to     this issue.  Please note that SPA authentication is not enabled by default     in Red Hat Enterprise Linux 4.

    Buffer overflow flaws were discovered in the host_aton and     dns_build_reverse functions in Exim.  A local user can trigger these flaws     by executing exim with carefully crafted command line arguments and may be     able to gain the privileges of the 'exim' account.  The Common     Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name     CAN-2005-0021 to this issue.

    Users of Exim are advised to update to these erratum packages which contain     backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200501-23 (Exim: Two buffer overflows)

    Buffer overflows have been found in the host_aton() function     (CAN-2005-0021) as well as in the spa_base64_to_bits() function     (CAN-2005-0022), which is part of the SPA authentication code.
  Impact :

    A local attacker could trigger the buffer overflow in host_aton()     by supplying an illegal IPv6 address with more than 8 components, using     a command line option. The second vulnerability could be remotely     exploited during SPA authentication, if it is enabled on the server.
    Both buffer overflows can potentially lead to the execution of     arbitrary code.
  Workaround :

    There is no known workaround at this time.

The remote host is running Exim, a message transfer agent (SMTP).

It is reported that Exim is prone to an IPv6 Address and an SPA authentication buffer overflow. An attacker, exploiting this issue, may be able to execute arbitrary code on the remote host.

Exim must be configured with SPA Authentication or with IPv6 support to exploit those flaws.

In addition, Exim is vulnerable to two local overflows in command line option handling. However, Nessus has not tested for these.

The remote host is running Exim, a message transfer agent (SMTP). It is reported that Exim is prone to an IPv6 address and a SPA authentication buffer overflow . An attacker exploiting those flaws may be able to execute arbitrary code on the remote host. Exim must be configured with SPA Authentication or with IPv6 support to exploit those flaws.

ID	Name	Product	Family	Severity
62248	Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002)	Nessus	Fedora Local Security Checks	high
20674	Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1)	Nessus	Ubuntu Local Security Checks	high
19118	FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)	Nessus	FreeBSD Local Security Checks	high
17165	RHEL 4 : exim (RHSA-2005:025)	Nessus	Red Hat Local Security Checks	critical
16414	GLSA-200501-23 : Exim: Two buffer overflows	Nessus	Gentoo Local Security Checks	high
16113	Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001)	Nessus	Fedora Local Security Checks	high
16111	Exim < 4.44 Multiple Overflows	Nessus	SMTP problems	high
2505	Exim < 4.44 Illegal IPv6 Address / SPA Authentication Buffer Overflow	Nessus Network Monitor	SMTP Servers	high

Detections

Analytics

CVE-2005-0022

critical

Tenable Plugins

high

high

high

critical

high

high

high

high