Vulnerabilities > CVE-2010-2024 - Race Condition vulnerability in Exim
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_2_EXIM-100720.NASL description Two local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47817 published 2010-07-23 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47817 title openSUSE Security Update : exim (openSUSE-SU-2010:0416-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update exim-2750. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(47817); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:38"); script_cve_id("CVE-2010-2023", "CVE-2010-2024"); script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:0416-1)"); script_summary(english:"Check for the exim-2750 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=612549" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2010-07/msg00025.html" ); script_set_attribute(attribute:"solution", value:"Update the affected exim packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2010/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"exim-4.69-72.4.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"eximon-4.69-72.4.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"eximstats-html-4.69-72.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1060-1.NASL description It was discovered that Exim contained a design flaw in the way it processed alternate configuration files. An attacker that obtained privileges of the last seen 2020-06-01 modified 2020-06-02 plugin id 51954 published 2011-02-11 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51954 title Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : exim4 vulnerabilities (USN-1060-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1060-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(51954); script_version("1.11"); script_cvs_date("Date: 2019/09/19 12:54:26"); script_cve_id("CVE-2010-2023", "CVE-2010-2024", "CVE-2010-4345", "CVE-2011-0017"); script_bugtraq_id(40451, 40454, 45341, 46065); script_xref(name:"USN", value:"1060-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : exim4 vulnerabilities (USN-1060-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that Exim contained a design flaw in the way it processed alternate configuration files. An attacker that obtained privileges of the 'Debian-exim' user could use an alternate configuration file to obtain root privileges. (CVE-2010-4345) It was discovered that Exim incorrectly handled certain return values when handling logging. An attacker that obtained privileges of the 'Debian-exim' user could use this flaw to obtain root privileges. (CVE-2011-0017) Dan Rosenberg discovered that Exim incorrectly handled writable sticky-bit mail directories. If Exim were configured in this manner, a local user could use this flaw to cause a denial of service or possibly gain privileges. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10, and 10.04 LTS. (CVE-2010-2023) Dan Rosenberg discovered that Exim incorrectly handled MBX locking. If Exim were configured in this manner, a local user could use this flaw to cause a denial of service or possibly gain privileges. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10, and 10.04 LTS. (CVE-2010-2024). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1060-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-config"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-custom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:eximon4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2011/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(6\.06|8\.04|9\.10|10\.04|10\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 9.10 / 10.04 / 10.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"exim4", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-base", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-config", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-custom", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-heavy", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-light", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"eximon4", pkgver:"4.60-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-base", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-config", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-custom", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-heavy", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-light", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-light-dbg", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-dbg", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"exim4-dev", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"eximon4", pkgver:"4.69-2ubuntu0.3")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-base", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-config", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-custom", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-heavy", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-light", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-light-dbg", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-dbg", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"exim4-dev", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"eximon4", pkgver:"4.69-11ubuntu4.2")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-base", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-config", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-custom", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-heavy", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-light", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-light-dbg", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-dbg", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"exim4-dev", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"eximon4", pkgver:"4.71-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-base", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-config", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-custom", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-heavy", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-light", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-light-dbg", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-dbg", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"exim4-dev", pkgver:"4.72-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"eximon4", pkgver:"4.72-1ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim4 / exim4-base / exim4-config / exim4-daemon-custom / etc"); }
NASL family SMTP problems NASL id EXIM_4_72.NASL description The remote host is running Exim, a message transfer agent (SMTP). According to the version number in its banner, the installed version of Exim is earlier than 4.72 and thus potentially affected by one or both of the following vulnerabilities : - An error when handling hardlinks within the mail directory during the mail delivery process can be exploited to perform unauthorized actions. (CVE-2010-2023) - When MBX locking is enabled, a race condition exists that could allow an attacker to change permissions of other non-root users last seen 2020-06-01 modified 2020-06-02 plugin id 46783 published 2010-06-02 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46783 title Exim < 4.72 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(46783); script_version("1.13"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2010-2023", "CVE-2010-2024"); script_bugtraq_id(40451, 40454); script_xref(name:"Secunia", value:"40019"); script_name(english:"Exim < 4.72 Multiple Vulnerabilities"); script_summary(english:"Checks version of SMTP banner"); script_set_attribute(attribute:"synopsis", value: "The remote mail server is potentially affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running Exim, a message transfer agent (SMTP). According to the version number in its banner, the installed version of Exim is earlier than 4.72 and thus potentially affected by one or both of the following vulnerabilities : - An error when handling hardlinks within the mail directory during the mail delivery process can be exploited to perform unauthorized actions. (CVE-2010-2023) - When MBX locking is enabled, a race condition exists that could allow an attacker to change permissions of other non-root users' files, leading to denial-of- service conditions or potentially privilege escalation. (CVE-2010-2024)"); script_set_attribute(attribute:"see_also", value:"https://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22b6761c"); script_set_attribute(attribute:"see_also", value:"https://bugs.exim.org/show_bug.cgi?id=988"); script_set_attribute(attribute:"see_also", value:"https://bugs.exim.org/show_bug.cgi?id=989"); script_set_attribute(attribute:"solution", value:"Upgrade to Exim 4.72 or later when it becomes available."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/05/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/02"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smtpserver_detect.nasl"); script_require_keys("Settings/ParanoidReport", "SMTP/exim"); script_require_ports("Services/smtp", 25); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); banner = get_smtp_banner(port:port); if (!banner) exit(1, "Failed to retrieve the banner from the SMTP server listening on port "+port+"."); if ("Exim" >!< banner) exit(0, "The banner from the SMTP server listening on port "+port+" is not from Exim."); matches = eregmatch(pattern:"220.*Exim ([0-9\.]+)", string:banner); if (isnull(matches)) exit(1, "Failed to determine the version of Exim based on the banner from the SMTP server listening on port "+port+"."); version = matches[1]; if (ereg(pattern:"^([0-3]\.|4\.([0-9]|[0-6][0-9]|7[01])$)", string:version)) { if (report_verbosity > 0) { report = '\n Banner : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 4.72'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "Exim version "+version+" is running on the port "+port+" and not affected.");
NASL family Fedora Local Security Checks NASL id FEDORA_2010-12375.NASL description This update fixes the following security flaws : - CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling - CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53394 published 2011-04-13 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53394 title Fedora 14 : exim-4.72-2.fc14 (2010-12375) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2010-12375. # include("compat.inc"); if (description) { script_id(53394); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:31"); script_cve_id("CVE-2010-2023", "CVE-2010-2024"); script_bugtraq_id(40451, 40454); script_xref(name:"FEDORA", value:"2010-12375"); script_name(english:"Fedora 14 : exim-4.72-2.fc14 (2010-12375)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes the following security flaws : - CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling - CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=600093" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=600097" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057864.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5de18bff" ); script_set_attribute(attribute:"solution", value:"Update the affected exim package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14"); script_set_attribute(attribute:"patch_publication_date", value:"2010/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^14([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC14", reference:"exim-4.72-2.fc14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_3_EXIM-100720.NASL description Two local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 75480 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75480 title openSUSE Security Update : exim (openSUSE-SU-2010:0416-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update exim-2750. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75480); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:39"); script_cve_id("CVE-2010-2023", "CVE-2010-2024"); script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:0416-1)"); script_summary(english:"Check for the exim-2750 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=612549" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2010-07/msg00025.html" ); script_set_attribute(attribute:"solution", value:"Update the affected exim packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3"); script_set_attribute(attribute:"patch_publication_date", value:"2010/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.3", reference:"exim-4.71-4.1.1") ) flag++; if ( rpm_check(release:"SUSE11.3", reference:"eximon-4.71-4.1.1") ) flag++; if ( rpm_check(release:"SUSE11.3", reference:"eximstats-html-4.71-4.1.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_1_EXIM-100720.NASL description Two local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47816 published 2010-07-23 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47816 title openSUSE Security Update : exim (openSUSE-SU-2010:0416-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update exim-2750. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(47816); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:37"); script_cve_id("CVE-2010-2023", "CVE-2010-2024"); script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:0416-1)"); script_summary(english:"Check for the exim-2750 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=612549" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2010-07/msg00025.html" ); script_set_attribute(attribute:"solution", value:"Update the affected exim packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1"); script_set_attribute(attribute:"patch_publication_date", value:"2010/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.1", reference:"exim-4.69-70.14.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"eximon-4.69-70.14.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"eximstats-html-4.69-70.14.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2010-9506.NASL description This update fixes the following security flaws: * CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling * CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47538 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47538 title Fedora 12 : exim-4.72-1.fc12 (2010-9506) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-32.NASL description The remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72159 published 2014-01-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72159 title GLSA-201401-32 : Exim: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2010-9524.NASL description This update fixes the following security flaws: * CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling * CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47540 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47540 title Fedora 13 : exim-4.72-1.fc13 (2010-9524)
References
- http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0079.html
- http://bugs.exim.org/show_bug.cgi?id=989
- http://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042587.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042613.html
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- http://secunia.com/advisories/40019
- http://secunia.com/advisories/40123
- http://secunia.com/advisories/43243
- http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup&pathrev=exim-4_72_RC2
- http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25&r2=1.26
- http://www.securityfocus.com/archive/1/511653/100/0/threaded
- http://www.securityfocus.com/bid/40454
- http://www.ubuntu.com/usn/USN-1060-1
- http://www.vupen.com/english/advisories/2010/1402
- http://www.vupen.com/english/advisories/2011/0364
- https://bugzilla.redhat.com/show_bug.cgi?id=600097
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59042