Debian DSA-2154-1 : exim4 - privilege escalation

medium Nessus Plugin ID 51819

Synopsis

The remote Debian host is missing a security-related update.

Description

A design flaw (CVE-2010-4345 ) in exim4 allowed the local Debian-exim user to obtain root privileges by specifying an alternate configuration file using the -C option or by using the macro override facility (-D option). Unfortunately, fixing this vulnerability is not possible without some changes in exim4's behaviour. If you use the -C or -D options or use the system filter facility, you should evaluate the changes carefully and adjust your configuration accordingly. The Debian default configuration is not affected by the changes.

The detailed list of changes is described in the NEWS.Debian file in the packages. The relevant sections are also reproduced below.

In addition to that, missing error handling for the setuid/setgid system calls allowed the Debian-exim user to cause root to append log data to arbitrary files (CVE-2011-0017 ).

Solution

For the stable distribution (lenny), these problems have been fixed in version 4.69-9+lenny3.

Excerpt from the NEWS.Debian file from the packages exim4-daemon-light and exim4-daemon-heavy :

Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose. In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes. If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though.
Therefore it is generally not possible anymore to run an exim daemon with -D or -C options. However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs.
TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges. As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries. If you previously were using -D switches you will need to change your setup to use a separate configuration file. The '.include' mechanism makes this easy. The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option.

See Also

https://security-tracker.debian.org/tracker/CVE-2010-4345

https://security-tracker.debian.org/tracker/CVE-2011-0017

https://www.debian.org/security/2011/dsa-2154

Plugin Details

Severity: Medium

ID: 51819

File Name: debian_DSA-2154.nasl

Version: 1.13

Type: local

Agent: unix

Published: 1/31/2011

Updated: 3/28/2022

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:exim4, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/30/2011

CISA Known Exploited Vulnerability Due Dates: 4/15/2022

Exploitable With

Metasploit (Exim4 string_format Function Heap Buffer Overflow)

Reference Information

CVE: CVE-2010-4345, CVE-2011-0017

DSA: 2154