Overview
A vulnerability in the way that the Exim mail server handles configuration files may allow a local attacker to gain escalated privileges on an affected system.
Description
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. If Exim is built without specifying the ALT_CONFIG_ROOT_ONLY configuration option, then the Exim user can invoke Exim with an arbitrary configuration file. The Exim developers note that this option is unspecified by default. Consequently, any ${run...} directives specified in that configuration file will be executed as root. Note: this vulnerability has been reported being exploited in the wild. |
Impact
A local attacker with the ability to execute commands as the Exim user may be able to execute code with root privileges. |
Solution
We are currently unaware of a practical solution to this problem. |
Ensure that Exim is built with the ALT_CONFIG_ROOT_ONLY option enabled |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
- http://bugs.exim.org/show_bug.cgi?id=1044
- https://bugzilla.redhat.com/show_bug.cgi?id=662012
- http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
- http://lists.exim.org/lurker/message/20101213.140800.7c3bae4b.en.html
Acknowledgements
This vulnerability was discovered as a result of its exploitation in the wild. Sergey Kononenko provided confirmation and public analysis.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2010-4345 |
| Severity Metric: | 13.54 |
| Date Public: | 2010-12-07 |
| Date First Published: | 2010-12-13 |
| Date Last Updated: | 2010-12-13 15:48 UTC |
| Document Revision: | 6 |