Bug 662012 (CVE-2010-4345)

Summary: CVE-2010-4345 exim: privilege escalation
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ade.rixon, bressers, dwmw2, jlieskov, jrusnack, levon, mlichvar, nixon, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 17:14:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 662020, 662024, 668077, 668078, 668079, 668080, 668081, 668082    
Bug Blocks:    
Attachments:
Description Flags
Patch for above commits
none
backport for exim-4.43
none
backport for exim-4.63 none

Description Mark J. Cox 2010-12-10 10:39:39 UTC 
See bug #661756
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

"
Secondly a privilege escalation where the trusted 'exim' user is able to tell
Exim to use arbitrary config files, in which further ${run ...} commands will
be invoked as root.

The latter should be addressed by the patch at
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
"
Comment 5 David Woodhouse 2010-12-10 17:11:18 UTC 
http://bugs.exim.org/show_bug.cgi?id=1044
Comment 6 David Woodhouse 2010-12-12 03:26:48 UTC 
http://lists.exim.org/lurker/message/20101212.031058.0a4ca7c2.en.html

I've just pushed a set of patches to
    http://git.exim.org/users/dwmw2/exim.git
    git://git.exim.org/users/dwmw2/exim.git

They do the following:

- Add Valgrind hooks to the store pools to aid debugging.

- Don't use config files as root if they're writeable by non-root
  users/groups. Including the Exim user/group.

- Kill ALT_CONFIG_ROOT_ONLY as discussed, so only root can specify
  arbitrary files on the command line with the -C option. If the Exim
  user uses -C, or uses the -D option to set macros, then root privs
  will be dropped.

- Add a TRUSTED_CONFIG_PREFIX_FILE option. If set, it gives a filename
  for a file that contains prefix strings, like the ALT_CONFIG_PREFIX.
  Each line in that file specifies a prefix for config files which are
  to be trusted, and executed with root privilege if seen in the -C
  option, regardless of which user Exim is invoked by. As long as the
  config file is not writeable by anyone but root, of course.

- Set FD_CLOEXEC on SMTP sockets after forking to handle the connection.


The TRUSTED_CONFIG_PREFIX_FILE one wants a little more attention; I
haven't properly tested it yet. But it's 3am so not right now...
Comment 7 Josh Bressers 2010-12-14 19:24:26 UTC 
Here are the upstream patches for this one:

Allow only absolute paths in TRUSTED_CONFIG_PREFIX_LIST...
http://git.exim.org/exim.git/commit/1e83d68b72d24d6255d2e78facbe01656515ab4f


Set FD_CLOEXEC on SMTP sockets after forking to handle... 
http://git.exim.org/exim.git/commit/fa32850be0d9e605da1b33305c122f7a59a24650


Add TRUSTED_CONFIG_PREFIX_FILE option
http://git.exim.org/exim.git/commit/261dc43e32f6039781ca92535e56f5caaa68b809


Remove ALT_CONFIG_ROOT_ONLY build option, effectively... 
http://git.exim.org/exim.git/commit/cd25e41d2d044556e024f0292a17c5ec3cc7987b


Check configure file permissions even for non-default... 
http://git.exim.org/exim.git/commit/e2f5dc151e2e79058e93924e6d35510557f0535d


Don't allow a configure file which is writeable by... 
http://git.exim.org/exim.git/commit/c1d94452b1b7f3620ee3cc9aa197ad98821de79f
Comment 8 Josh Bressers 2010-12-14 19:34:06 UTC 
Created attachment 468682 [details]
Patch for above commits
Comment 9 Josh Bressers 2010-12-14 22:48:21 UTC 
I've been informed that the above commits are still not complete for this issue. I'll update the patch when upstream is finished.
Comment 10 Miroslav Lichvar 2011-01-06 14:25:13 UTC 
Created attachment 472064 [details]
backport for exim-4.43
Comment 11 Miroslav Lichvar 2011-01-06 14:26:39 UTC 
Created attachment 472066 [details]
backport for exim-4.63
Comment 13 Josh Bressers 2011-01-07 20:29:18 UTC 
Created exim tracking bugs for this issue

Affects: fedora-all [bug 668078]
Affects: fedora-all [bug 668078]
Comment 15 Josh Bressers 2011-01-07 20:40:55 UTC 
I'm lowering the severity of this to moderate. Without another flaw that lets you gain access to the exim user, this flaw has no value.
Comment 16 errata-xmlrpc 2011-01-17 17:47:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0153 https://rhn.redhat.com/errata/RHSA-2011-0153.html