COMMAND
InterNet News Server (innd) - ucbmail
SYSTEMS AFFECTED
Systems running INN versions 1.5.1 and earlier
PROBLEM
A new vulnerability was found in INN (InterNetNews server) after
the first vulnerability (see innd #1, #2, #3). This vulnerability
allows unauthorized users to execute arbitrary commands on the
machine running INN by sending a maliciously formed news control
message. Because the problem is with the content of news control
messages, attacks can be launched remotely and may reach news
servers located behind Internet firewalls.
This second vulnerability involving INN is similar to first. INN
itself attempts to carefully remove certain shell "metacharacters"
from data in control messages before passing that data to a shell.
The patch for vulnerabilities described as innd #1, #2 and #3
fix some of the checks that were found to be inadequate. However
ucbmail, a program typically configured as the mailer INN should
use, lacks similar checks. INN passes some data unchecked to this
mailer, which in turn passes the data to a shell for processing.
Remote, unauthorized users can execute arbitrary commands on the
system with the same privileges as the innd (INN daemon) process.
Attacks may reach news servers located behind Internet firewalls.
Michal Jankowski pointed out that this bug is actually in the
"mail" program and doesn't need INN to be exploited and added
trivia example of sending to somebody (to root, preferably) a
mail with "Reply-To: |some-interesting-command-here" in hope
he'll use ucb mail to reply to this letter. Still, this is not
confirmed to work (yet).
SOLUTION
James Brister, the current maintainer of INN, has made a patch
available that checks more data before it is passed to the mailer
program. Although only the ucbmail program is known to have this
problem, sites are encouraged to apply the patch regardless of
what mail program their INN is configured to use.
The current version of INN is 1.5.1. It is not vulnerable to the
first described in innd #1, #2 and #3, but it is vulnerable to the
second, so a patch is necessary.
INN 1.5.1 and information about it are available from
http://www.isc.org/inn.html
The patch is available from
ftp://ftp.isc.org:/isc/inn/patches/security-patch.04
If you do not upgrade to 1.5.1, apply a patch for the version you
are running and then apply the newly released patch that addresses
the second vulnerability discussed here. If you are running INN
1.4sec2, you should upgrade to 1.5.1 as no patches are available.
FIRST apply:
version patch
------- -----
1.5 ftp://ftp.isc.org/isc/inn/patches/security-patch.01
1.4sec ftp://ftp.isc.org/isc/inn/patches/security-patch.02
1.4unoff3, 1.4unoff4 ftp://ftp.isc.org/isc/inn/patches/security-patch.03
THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)
ftp://ftp.isc.org:/isc/inn/patches/security-patch.04
After installing any of the patches or updates, ensure that you
restart your INN server.
Vendor notices and patches for this vulnerability (for now):
NEC Corporation
Products below are shipped with INN mentioned in this advisory,
so they are vulnerable and patches are in progress.
Goah/NetworkSV R1.2 vulnerable
Goah/NetworkSV R2.2 vulnerable
Goah/NetworkSV R3.1 vulnerable
Goah/IntraSV R1.1 vulnerable
Red Hat Linux
There is a critical security hole in INN which affects all
versions of Red Hat Linux. A new version, inn-1.5.1-6, is now
available for Red Hat Linux 4.0 and 4.1 for all platforms. If you
are running an earlier version of Red Hat, we strongly encourage
you to upgrade to 4.1 as soon as possible, as many critical
security fixes have been made. The new version of inn is PGP
signed with the Red Hat PGP key, which is available on all Red
Hat CDROMs, ftp.redhat.com, and public keyservers.
You may upgrade to the new version as follows:
Red Hat 4.1
-----------
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm
Red Hat 4.0
i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm
alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm
SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm
After installing any of the patches or updates, ensure that you
restart your INN server.