This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 662012 - (CVE-2010-4345) CVE-2010-4345 exim privilege escalation
CVE-2010-4345 exim privilege escalation
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20101207,reported=20101209,sou...
: Security
Depends On: 662020 662024 668077 668078 668079 668080 668081 668082
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-10 05:39 EST by Mark J. Cox (Product Security)
Modified: 2015-07-31 08:28 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 13:14:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch for above commits (29.93 KB, patch)
2010-12-14 14:34 EST, Josh Bressers
no flags Details | Diff
backport for exim-4.43 (42.81 KB, patch)
2011-01-06 09:25 EST, Miroslav Lichvar
no flags Details | Diff
backport for exim-4.63 (43.35 KB, patch)
2011-01-06 09:26 EST, Miroslav Lichvar
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2010-12-10 05:39:39 EST
See bug #661756
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

"
Secondly a privilege escalation where the trusted 'exim' user is able to tell
Exim to use arbitrary config files, in which further ${run ...} commands will
be invoked as root.

The latter should be addressed by the patch at
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
"
Comment 5 David Woodhouse 2010-12-10 12:11:18 EST
http://bugs.exim.org/show_bug.cgi?id=1044
Comment 6 David Woodhouse 2010-12-11 22:26:48 EST
http://lists.exim.org/lurker/message/20101212.031058.0a4ca7c2.en.html

I've just pushed a set of patches to
    http://git.exim.org/users/dwmw2/exim.git
    git://git.exim.org/users/dwmw2/exim.git

They do the following:

- Add Valgrind hooks to the store pools to aid debugging.

- Don't use config files as root if they're writeable by non-root
  users/groups. Including the Exim user/group.

- Kill ALT_CONFIG_ROOT_ONLY as discussed, so only root can specify
  arbitrary files on the command line with the -C option. If the Exim
  user uses -C, or uses the -D option to set macros, then root privs
  will be dropped.

- Add a TRUSTED_CONFIG_PREFIX_FILE option. If set, it gives a filename
  for a file that contains prefix strings, like the ALT_CONFIG_PREFIX.
  Each line in that file specifies a prefix for config files which are
  to be trusted, and executed with root privilege if seen in the -C
  option, regardless of which user Exim is invoked by. As long as the
  config file is not writeable by anyone but root, of course.

- Set FD_CLOEXEC on SMTP sockets after forking to handle the connection.


The TRUSTED_CONFIG_PREFIX_FILE one wants a little more attention; I
haven't properly tested it yet. But it's 3am so not right now...
Comment 7 Josh Bressers 2010-12-14 14:24:26 EST
Here are the upstream patches for this one:

Allow only absolute paths in TRUSTED_CONFIG_PREFIX_LIST...
http://git.exim.org/exim.git/commit/1e83d68b72d24d6255d2e78facbe01656515ab4f


Set FD_CLOEXEC on SMTP sockets after forking to handle... 
http://git.exim.org/exim.git/commit/fa32850be0d9e605da1b33305c122f7a59a24650


Add TRUSTED_CONFIG_PREFIX_FILE option
http://git.exim.org/exim.git/commit/261dc43e32f6039781ca92535e56f5caaa68b809


Remove ALT_CONFIG_ROOT_ONLY build option, effectively... 
http://git.exim.org/exim.git/commit/cd25e41d2d044556e024f0292a17c5ec3cc7987b


Check configure file permissions even for non-default... 
http://git.exim.org/exim.git/commit/e2f5dc151e2e79058e93924e6d35510557f0535d


Don't allow a configure file which is writeable by... 
http://git.exim.org/exim.git/commit/c1d94452b1b7f3620ee3cc9aa197ad98821de79f
Comment 8 Josh Bressers 2010-12-14 14:34:06 EST
Created attachment 468682 [details]
Patch for above commits
Comment 9 Josh Bressers 2010-12-14 17:48:21 EST
I've been informed that the above commits are still not complete for this issue. I'll update the patch when upstream is finished.
Comment 10 Miroslav Lichvar 2011-01-06 09:25:13 EST
Created attachment 472064 [details]
backport for exim-4.43
Comment 11 Miroslav Lichvar 2011-01-06 09:26:39 EST
Created attachment 472066 [details]
backport for exim-4.63
Comment 13 Josh Bressers 2011-01-07 15:29:18 EST
Created exim tracking bugs for this issue

Affects: fedora-all [bug 668078]
Affects: fedora-all [bug 668078]
Comment 15 Josh Bressers 2011-01-07 15:40:55 EST
I'm lowering the severity of this to moderate. Without another flaw that lets you gain access to the exim user, this flaw has no value.
Comment 16 errata-xmlrpc 2011-01-17 12:47:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0153 https://rhn.redhat.com/errata/RHSA-2011-0153.html

Note You need to log in before you can comment on or make changes to this bug.