Bug 662012 (CVE-2010-4345) - CVE-2010-4345 exim: privilege escalation
Summary: CVE-2010-4345 exim: privilege escalation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4345
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 662020 662024 668077 668078 668079 668080 668081 668082
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-10 10:39 UTC by Mark J. Cox
Modified: 2021-02-04 00:57 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 17:14:35 UTC
Embargoed:


Attachments (Terms of Use)
Patch for above commits (29.93 KB, patch)
2010-12-14 19:34 UTC, Josh Bressers
no flags Details | Diff
backport for exim-4.43 (42.81 KB, patch)
2011-01-06 14:25 UTC, Miroslav Lichvar
no flags Details | Diff
backport for exim-4.63 (43.35 KB, patch)
2011-01-06 14:26 UTC, Miroslav Lichvar
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0153 0 normal SHIPPED_LIVE Moderate: exim security update 2011-01-17 17:47:26 UTC

Description Mark J. Cox 2010-12-10 10:39:39 UTC
See bug #661756
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

"
Secondly a privilege escalation where the trusted 'exim' user is able to tell
Exim to use arbitrary config files, in which further ${run ...} commands will
be invoked as root.

The latter should be addressed by the patch at
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
"

Comment 5 David Woodhouse 2010-12-10 17:11:18 UTC
http://bugs.exim.org/show_bug.cgi?id=1044

Comment 6 David Woodhouse 2010-12-12 03:26:48 UTC
http://lists.exim.org/lurker/message/20101212.031058.0a4ca7c2.en.html

I've just pushed a set of patches to
    http://git.exim.org/users/dwmw2/exim.git
    git://git.exim.org/users/dwmw2/exim.git

They do the following:

- Add Valgrind hooks to the store pools to aid debugging.

- Don't use config files as root if they're writeable by non-root
  users/groups. Including the Exim user/group.

- Kill ALT_CONFIG_ROOT_ONLY as discussed, so only root can specify
  arbitrary files on the command line with the -C option. If the Exim
  user uses -C, or uses the -D option to set macros, then root privs
  will be dropped.

- Add a TRUSTED_CONFIG_PREFIX_FILE option. If set, it gives a filename
  for a file that contains prefix strings, like the ALT_CONFIG_PREFIX.
  Each line in that file specifies a prefix for config files which are
  to be trusted, and executed with root privilege if seen in the -C
  option, regardless of which user Exim is invoked by. As long as the
  config file is not writeable by anyone but root, of course.

- Set FD_CLOEXEC on SMTP sockets after forking to handle the connection.


The TRUSTED_CONFIG_PREFIX_FILE one wants a little more attention; I
haven't properly tested it yet. But it's 3am so not right now...

Comment 7 Josh Bressers 2010-12-14 19:24:26 UTC
Here are the upstream patches for this one:

Allow only absolute paths in TRUSTED_CONFIG_PREFIX_LIST...
http://git.exim.org/exim.git/commit/1e83d68b72d24d6255d2e78facbe01656515ab4f


Set FD_CLOEXEC on SMTP sockets after forking to handle... 
http://git.exim.org/exim.git/commit/fa32850be0d9e605da1b33305c122f7a59a24650


Add TRUSTED_CONFIG_PREFIX_FILE option
http://git.exim.org/exim.git/commit/261dc43e32f6039781ca92535e56f5caaa68b809


Remove ALT_CONFIG_ROOT_ONLY build option, effectively... 
http://git.exim.org/exim.git/commit/cd25e41d2d044556e024f0292a17c5ec3cc7987b


Check configure file permissions even for non-default... 
http://git.exim.org/exim.git/commit/e2f5dc151e2e79058e93924e6d35510557f0535d


Don't allow a configure file which is writeable by... 
http://git.exim.org/exim.git/commit/c1d94452b1b7f3620ee3cc9aa197ad98821de79f

Comment 8 Josh Bressers 2010-12-14 19:34:06 UTC
Created attachment 468682 [details]
Patch for above commits

Comment 9 Josh Bressers 2010-12-14 22:48:21 UTC
I've been informed that the above commits are still not complete for this issue. I'll update the patch when upstream is finished.

Comment 10 Miroslav Lichvar 2011-01-06 14:25:13 UTC
Created attachment 472064 [details]
backport for exim-4.43

Comment 11 Miroslav Lichvar 2011-01-06 14:26:39 UTC
Created attachment 472066 [details]
backport for exim-4.63

Comment 13 Josh Bressers 2011-01-07 20:29:18 UTC
Created exim tracking bugs for this issue

Affects: fedora-all [bug 668078]
Affects: fedora-all [bug 668078]

Comment 15 Josh Bressers 2011-01-07 20:40:55 UTC
I'm lowering the severity of this to moderate. Without another flaw that lets you gain access to the exim user, this flaw has no value.

Comment 16 errata-xmlrpc 2011-01-17 17:47:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0153 https://rhn.redhat.com/errata/RHSA-2011-0153.html


Note You need to log in before you can comment on or make changes to this bug.