Exim SPA Authentication Remote Buffer Overflow Vulnerability
BID:12188
Info
Exim SPA Authentication Remote Buffer Overflow Vulnerability
| Bugtraq ID: | 12188 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2005-0022 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 06 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | Discovery is credited to an anonymous source. |
| Vulnerable: |
University of Cambridge Exim 4.43 University of Cambridge Exim 4.42 University of Cambridge Exim 4.41 University of Cambridge Exim 4.40 University of Cambridge Exim 4.34 University of Cambridge Exim 4.33 University of Cambridge Exim 4.32 University of Cambridge Exim 4.21 University of Cambridge Exim 4.20 University of Cambridge Exim 4.10 SuSE Linux 8.1 SuSE Linux 8.0 i386 SuSE Linux 8.0 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 Redhat Fedora Core3 Redhat Fedora Core2 ALT Linux ALT Linux Junior 2.3 ALT Linux ALT Linux Compact 2.3 |
| Not Vulnerable: | |
Discussion
Exim SPA Authentication Remote Buffer Overflow Vulnerability
Exim is reported susceptible to a buffer overflow vulnerability when attempting to authenticate remote users via SPA. This issue is due to a failure of the application to properly bounds check user-supplied input prior to copying it to a fixed-size memory buffer.
This vulnerability reportedly allows remote attackers to execute arbitrary code in the context of the affected server application. This issue is only exploitable if SPA authentication is configured to be used. SPA authentication is not enabled by default.
Exim is reported susceptible to a buffer overflow vulnerability when attempting to authenticate remote users via SPA. This issue is due to a failure of the application to properly bounds check user-supplied input prior to copying it to a fixed-size memory buffer.
This vulnerability reportedly allows remote attackers to execute arbitrary code in the context of the affected server application. This issue is only exploitable if SPA authentication is configured to be used. SPA authentication is not enabled by default.
Exploit / POC
Exim SPA Authentication Remote Buffer Overflow Vulnerability
Exploit code is available.
Exploit code is available.
Solution / Fix
Exim SPA Authentication Remote Buffer Overflow Vulnerability
Solution:
The vendor has released patches, and a snapshot version of Exim to address this issue. These patches are for version 4.43 of Exim, but the vendor has reported that they may also work for previous versions.
The patches can be extracted from the referenced email message from Philip Hazel.
SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
RedHat has released two advisories called FEDORA-2005-001 to address this, and other issues for Fedora Core 2 and 3. Please see the referenced advisories for further information.
Ubuntu has released advisory USN-56-1 to address this issue. Please see the attached advisory for further information on obtaining and applying fixes.
Gentoo has released an advisory GLSA 200501-23 to address issues in Exim. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
emerge --sync
emerge --ask --oneshot --verbose ">=mail-mta/exim-4.43-r2"
ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.
University of Cambridge Exim 4.10
University of Cambridge Exim 4.20
University of Cambridge Exim 4.21
University of Cambridge Exim 4.32
University of Cambridge Exim 4.33
University of Cambridge Exim 4.34
University of Cambridge Exim 4.40
University of Cambridge Exim 4.41
University of Cambridge Exim 4.42
University of Cambridge Exim 4.43
Solution:
The vendor has released patches, and a snapshot version of Exim to address this issue. These patches are for version 4.43 of Exim, but the vendor has reported that they may also work for previous versions.
The patches can be extracted from the referenced email message from Philip Hazel.
SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
RedHat has released two advisories called FEDORA-2005-001 to address this, and other issues for Fedora Core 2 and 3. Please see the referenced advisories for further information.
Ubuntu has released advisory USN-56-1 to address this issue. Please see the attached advisory for further information on obtaining and applying fixes.
Gentoo has released an advisory GLSA 200501-23 to address issues in Exim. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
emerge --sync
emerge --ask --oneshot --verbose ">=mail-mta/exim-4.43-r2"
ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.
University of Cambridge Exim 4.10
-
SuSE exim-4.12-130.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/exim-4.12-130.i58 6.rpm -
SuSE exim-4.12-130.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/exim-4.12-130.i58 6.rpm -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.20
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.21
-
SuSE exim-4.22-143.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/exim-4.22-143.i58 6.rpm -
SuSE exim-4.22-143.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/exim-4.22-143 .x86_64.rpm -
SuSE exim-4.30-25.4.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/exim-4.30-25.4.i5 86.rpm -
SuSE exim-4.30-25.4.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/exim-4.30-25. 4.x86_64.rpm -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.32
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.33
-
Fedora exim-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-debuginfo-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-debuginfo-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-doc-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-doc-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-mon-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-mon-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-sa-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-sa-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.34
-
Ubuntu exim4-base_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-base_4.34-5u buntu1.1_amd64.deb -
Ubuntu exim4-base_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-base_4.34-5u buntu1.1_powerpc.deb -
Ubuntu exim4-config_4.34-5ubuntu1.1_all.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-config_4.34- 5ubuntu1.1_all.deb -
Ubuntu exim4-daemon-heavy_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy _4.34-5ubuntu1.1_amd64.deb -
Ubuntu exim4-daemon-heavy_4.34-5ubuntu1.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy _4.34-5ubuntu1.1_i386.deb -
Ubuntu exim4-daemon-heavy_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy _4.34-5ubuntu1.1_powerpc.deb -
Ubuntu exim4-daemon-light_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light _4.34-5ubuntu1.1_amd64.deb -
Ubuntu exim4-daemon-light_4.34-5ubuntu1.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light _4.34-5ubuntu1.1_i386.deb -
Ubuntu exim4-daemon-light_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light _4.34-5ubuntu1.1_powerpc.deb -
Ubuntu eximon4_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/universe/e/exim4/eximon4_4.34-5 ubuntu1.1_amd64.deb -
Ubuntu eximon4_4.34-5ubuntu1.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/universe/e/exim4/eximon4_4.34-5 ubuntu1.1_i386.deb -
Ubuntu eximon4_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/universe/e/exim4/eximon4_4.34-5 ubuntu1.1_powerpc.deb -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.40
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.41
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.42
-
SuSE exim-4.42-3.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/exim-4.42-3.2.i58 6.rpm -
SuSE exim-4.42-3.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/exim-4.42-3.2 .x86_64.rpm -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.43
-
Fedora exim-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-debuginfo-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-debuginfo-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-doc-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-doc-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-mon-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-mon-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-sa-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-sa-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
References
Exim SPA Authentication Remote Buffer Overflow Vulnerability
References:
References:
- [exim] 2 smallish security issues (Philip Hazel)
- [security-announce] I: updated packages available (ALT Linux)
- Exim auth_spa_server() Buffer Overflow Vulnerability (iDEFENSE)
- Exim Homepage (Exim)