Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0080.2 Code execution vulnerability identified in the SpamAssassin Milter plugin 29 March 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SpamAssassin Milter plugin Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-1132 Member content until: Thursday, April 15 2010 Revision History: March 29 2010: Added CVE Reference March 16 2010: Initial Release OVERVIEW A vulnerability has been identified in the SpamAssassin Milter Plugin. IMPACT The following information was published regarding this vulnerability: "A vulnerability was reported in SpamAssassin Milter Plugin. A remote user can execute arbitrary code on the target system. When the software is invoked with the expand (-x) flag, the software makes an unsafe popen() call. A remote user can send a specially crafted RCPT TO value to execute arbitrary code on the target system. The code will run with the privileges of the target service." [1] MITIGATION A preliminary patch has been made available on the vendor's website [1]. Administrators should test the patch before deploying to production systems. The vulnerability also depends on the plugin being run with the -x flag, so systems not utilising this configuration would not be affected. Also for good practise you should never run plugins as root as this would enable more severe attacks. REFERENCES [1] bug #29136: SpamAssassin Milter Plugin Input Validation Flaw Lets Remote Users Execute Arbitrary Code http://savannah.nongnu.org/bugs/index.php?29136 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLr/Co/iFOrG6YcBERArdZAJ91nF6sZw54w//zn5pDKTC9RJkMFQCgqmUY QjHpPs/Pga4jJ4pafY/9FQY= =R2dV -----END PGP SIGNATURE-----