Vulnerabilities > CVE-2010-2024 - Race Condition vulnerability in Exim

047910
CVSS 4.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
exim
CWE-362
nessus

Summary

transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_EXIM-100720.NASL
    descriptionTwo local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47817
    published2010-07-23
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47817
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:0416-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update exim-2750.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(47817);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2010-2023", "CVE-2010-2024");
    
      script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:0416-1)");
      script_summary(english:"Check for the exim-2750 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two local vulnerabilities have been fixed in the exim MTA which
    allowed attackers to create arbitrary files or to change ownership of
    arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to
    these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=612549"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-07/msg00025.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/07/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.2", reference:"exim-4.69-72.4.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"eximon-4.69-72.4.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"eximstats-html-4.69-72.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1060-1.NASL
    descriptionIt was discovered that Exim contained a design flaw in the way it processed alternate configuration files. An attacker that obtained privileges of the
    last seen2020-06-01
    modified2020-06-02
    plugin id51954
    published2011-02-11
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51954
    titleUbuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : exim4 vulnerabilities (USN-1060-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1060-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(51954);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/19 12:54:26");
    
      script_cve_id("CVE-2010-2023", "CVE-2010-2024", "CVE-2010-4345", "CVE-2011-0017");
      script_bugtraq_id(40451, 40454, 45341, 46065);
      script_xref(name:"USN", value:"1060-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : exim4 vulnerabilities (USN-1060-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Exim contained a design flaw in the way it
    processed alternate configuration files. An attacker that obtained
    privileges of the 'Debian-exim' user could use an alternate
    configuration file to obtain root privileges. (CVE-2010-4345)
    
    It was discovered that Exim incorrectly handled certain return values
    when handling logging. An attacker that obtained privileges of the
    'Debian-exim' user could use this flaw to obtain root privileges.
    (CVE-2011-0017)
    
    Dan Rosenberg discovered that Exim incorrectly handled writable
    sticky-bit mail directories. If Exim were configured in this manner, a
    local user could use this flaw to cause a denial of service or
    possibly gain privileges. This issue only applied to Ubuntu 6.06 LTS,
    8.04 LTS, 9.10, and 10.04 LTS. (CVE-2010-2023)
    
    Dan Rosenberg discovered that Exim incorrectly handled MBX locking. If
    Exim were configured in this manner, a local user could use this flaw
    to cause a denial of service or possibly gain privileges. This issue
    only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10, and 10.04 LTS.
    (CVE-2010-2024).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1060-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-config");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-custom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:eximon4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/02/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(6\.06|8\.04|9\.10|10\.04|10\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 9.10 / 10.04 / 10.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"exim4", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"exim4-base", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"exim4-config", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-custom", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-heavy", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-light", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"eximon4", pkgver:"4.60-3ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-base", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-config", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-custom", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-heavy", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-light", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-daemon-light-dbg", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-dbg", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"exim4-dev", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"8.04", pkgname:"eximon4", pkgver:"4.69-2ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-base", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-config", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-custom", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-heavy", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-light", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-daemon-light-dbg", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-dbg", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"exim4-dev", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"9.10", pkgname:"eximon4", pkgver:"4.69-11ubuntu4.2")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-base", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-config", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-custom", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-heavy", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-light", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-daemon-light-dbg", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-dbg", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"exim4-dev", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"eximon4", pkgver:"4.71-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-base", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-config", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-custom", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-heavy", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-heavy-dbg", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-light", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-daemon-light-dbg", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-dbg", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"exim4-dev", pkgver:"4.72-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"eximon4", pkgver:"4.72-1ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim4 / exim4-base / exim4-config / exim4-daemon-custom / etc");
    }
    
  • NASL familySMTP problems
    NASL idEXIM_4_72.NASL
    descriptionThe remote host is running Exim, a message transfer agent (SMTP). According to the version number in its banner, the installed version of Exim is earlier than 4.72 and thus potentially affected by one or both of the following vulnerabilities : - An error when handling hardlinks within the mail directory during the mail delivery process can be exploited to perform unauthorized actions. (CVE-2010-2023) - When MBX locking is enabled, a race condition exists that could allow an attacker to change permissions of other non-root users
    last seen2020-06-01
    modified2020-06-02
    plugin id46783
    published2010-06-02
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46783
    titleExim < 4.72 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(46783);
      script_version("1.13");
      script_cvs_date("Date: 2018/11/15 20:50:24");
    
      script_cve_id("CVE-2010-2023", "CVE-2010-2024");
      script_bugtraq_id(40451, 40454);
      script_xref(name:"Secunia", value:"40019");
    
      script_name(english:"Exim < 4.72 Multiple Vulnerabilities");
      script_summary(english:"Checks version of SMTP banner");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote mail server is potentially affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running Exim, a message transfer agent (SMTP).
    
    According to the version number in its banner, the installed version
    of Exim is earlier than 4.72 and thus potentially affected by one or
    both of the following vulnerabilities :
    
      - An error when handling hardlinks within the mail
        directory during the mail delivery process can be
        exploited to perform unauthorized actions.
        (CVE-2010-2023)
    
      - When MBX locking is enabled, a race condition exists
        that could allow an attacker to change permissions of
        other non-root users' files, leading to denial-of-
        service conditions or potentially privilege escalation.
        (CVE-2010-2024)");
      script_set_attribute(attribute:"see_also", value:"https://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22b6761c");
      script_set_attribute(attribute:"see_also", value:"https://bugs.exim.org/show_bug.cgi?id=988");
      script_set_attribute(attribute:"see_also", value:"https://bugs.exim.org/show_bug.cgi?id=989");
      script_set_attribute(attribute:"solution", value:"Upgrade to Exim 4.72 or later when it becomes available.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/05/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/02");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"SMTP problems");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smtpserver_detect.nasl");
      script_require_keys("Settings/ParanoidReport", "SMTP/exim");
      script_require_ports("Services/smtp", 25);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("smtp_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
    
    banner = get_smtp_banner(port:port);
    if (!banner) exit(1, "Failed to retrieve the banner from the SMTP server listening on port "+port+".");
    if ("Exim" >!< banner) exit(0, "The banner from the SMTP server listening on port "+port+" is not from Exim.");
    
    matches = eregmatch(pattern:"220.*Exim ([0-9\.]+)", string:banner);
    if (isnull(matches)) exit(1, "Failed to determine the version of Exim based on the banner from the SMTP server listening on port "+port+".");
    
    version = matches[1];
    if (ereg(pattern:"^([0-3]\.|4\.([0-9]|[0-6][0-9]|7[01])$)", string:version))
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Banner            : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 4.72';
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else exit(0, "Exim version "+version+" is running on the port "+port+" and not affected.");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-12375.NASL
    descriptionThis update fixes the following security flaws : - CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling - CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id53394
    published2011-04-13
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53394
    titleFedora 14 : exim-4.72-2.fc14 (2010-12375)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2010-12375.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(53394);
      script_version("1.10");
      script_cvs_date("Date: 2019/08/02 13:32:31");
    
      script_cve_id("CVE-2010-2023", "CVE-2010-2024");
      script_bugtraq_id(40451, 40454);
      script_xref(name:"FEDORA", value:"2010-12375");
    
      script_name(english:"Fedora 14 : exim-4.72-2.fc14 (2010-12375)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following security flaws :
    
      - CVE-2010-2023 exim: hard-link following vulnerability in
        mailbox handling
    
        - CVE-2010-2024 exim: race condition when MBX locking is
          enabled
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=600093"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=600097"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057864.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5de18bff"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/08/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^14([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC14", reference:"exim-4.72-2.fc14")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_EXIM-100720.NASL
    descriptionTwo local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id75480
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75480
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:0416-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update exim-2750.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75480);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:39");
    
      script_cve_id("CVE-2010-2023", "CVE-2010-2024");
    
      script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:0416-1)");
      script_summary(english:"Check for the exim-2750 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two local vulnerabilities have been fixed in the exim MTA which
    allowed attackers to create arbitrary files or to change ownership of
    arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to
    these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=612549"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-07/msg00025.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/07/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.3", reference:"exim-4.71-4.1.1") ) flag++;
    if ( rpm_check(release:"SUSE11.3", reference:"eximon-4.71-4.1.1") ) flag++;
    if ( rpm_check(release:"SUSE11.3", reference:"eximstats-html-4.71-4.1.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_EXIM-100720.NASL
    descriptionTwo local vulnerabilities have been fixed in the exim MTA which allowed attackers to create arbitrary files or to change ownership of arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47816
    published2010-07-23
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47816
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:0416-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update exim-2750.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(47816);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:37");
    
      script_cve_id("CVE-2010-2023", "CVE-2010-2024");
    
      script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:0416-1)");
      script_summary(english:"Check for the exim-2750 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two local vulnerabilities have been fixed in the exim MTA which
    allowed attackers to create arbitrary files or to change ownership of
    arbitrary files. CVE-2010-2023 and CVE-2010-2024 have been assigned to
    these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=612549"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-07/msg00025.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/07/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"exim-4.69-70.14.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"eximon-4.69-70.14.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"eximstats-html-4.69-70.14.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-9506.NASL
    descriptionThis update fixes the following security flaws: * CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling * CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47538
    published2010-07-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47538
    titleFedora 12 : exim-4.72-1.fc12 (2010-9506)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201401-32.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id72159
    published2014-01-28
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72159
    titleGLSA-201401-32 : Exim: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-9524.NASL
    descriptionThis update fixes the following security flaws: * CVE-2010-2023 exim: hard-link following vulnerability in mailbox handling * CVE-2010-2024 exim: race condition when MBX locking is enabled Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47540
    published2010-07-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47540
    titleFedora 13 : exim-4.72-1.fc13 (2010-9524)