SB2011012801 - Two privilege escalation vulnerabilities in Exim
Published: January 28, 2011
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2011-0017)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/U:Clear
The vulnerability allows a local user to escalate privileges on the vulnerable system.
The vulnerability exists due to Exim implementation on Linux system does not check return values from the setuid()/setgid() system calls. A local user can execute arbitrary commands on the system with root privileges.
Successful exploitation of this vulnerability will allow a local user to gain root privileges on the system.
2) Privilege escalation (CVE-ID: CVE-2010-4345)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:A/U:Clear
The vulnerability allows a local user to escalate privileges on vulnerable system.
The vulnerability exists due to design error in Exim, when allowing local users to load arbitrary configuration file via the "spool_directory" directive. A local user can specify an alternate configuration file with a directive that contains arbitrary commands and execute arbitrary commands on the system with root privileges.
Successful exploitation of this vulnerability will allow a local user to gain root privileges on the system.
Remediation
Install update from vendor's website.