Vulnerability

    InterNet News Server (innd) - ucbmail

Affected

    Systems running INN versions 1.5.1 and earlier

Description

    A new vulnerability was  found in INN (InterNetNews  server) after
    the first vulnerability (see innd #1, #2, #3). This  vulnerability
    allows unauthorized  users to  execute arbitrary  commands on  the
    machine running INN by  sending a maliciously formed  news control
    message.  Because the problem is with the content of news  control
    messages,  attacks  can  be  launched  remotely and may reach news
    servers located behind Internet firewalls.

    This second vulnerability involving INN is similar to first.   INN
    itself attempts to carefully remove certain shell "metacharacters"
    from data in control messages before passing that data to a shell.
    The patch  for vulnerabilities  described as  innd #1,  #2 and  #3
    fix some of the checks  that were found to be  inadequate. However
    ucbmail, a program typically  configured as the mailer  INN should
    use, lacks similar checks. INN passes some data unchecked to  this
    mailer, which in turn passes the data to a shell for processing.

    Remote, unauthorized users can  execute arbitrary commands on  the
    system with the same privileges as the innd (INN daemon)  process.
    Attacks may reach news servers located behind Internet firewalls.

    Michal Jankowski  pointed out  that this  bug is  actually in  the
    "mail" program  and doesn't  need INN  to be  exploited and  added
    trivia  example  of  sending  to  somebody (to root, preferably) a
    mail  with  "Reply-To:  |some-interesting-command-here"  in   hope
    he'll use ucb mail  to reply to this  letter.  Still, this  is not
    confirmed to work (yet).

Solution

    James Brister,  the current  maintainer of  INN, has  made a patch
    available that checks more data before it is passed to the  mailer
    program. Although only the ucbmail  program is known to have  this
    problem, sites  are encouraged  to apply  the patch  regardless of
    what mail program their INN is configured to use.

    The current version of INN is  1.5.1. It is not vulnerable to  the
    first described in innd #1, #2 and #3, but it is vulnerable to the
    second, so a patch is necessary.

    INN 1.5.1 and information about it are available from

        http://www.isc.org/inn.html

    The patch is available from

        ftp://ftp.isc.org:/isc/inn/patches/security-patch.04

    If you do not upgrade to 1.5.1, apply a patch for the version  you
    are running and then apply the newly released patch that addresses
    the second vulnerability  discussed here. If  you are running  INN
    1.4sec2, you should upgrade to 1.5.1 as no patches are available.

    FIRST apply:

    version               patch
    -------               -----
    1.5                   ftp://ftp.isc.org/isc/inn/patches/security-patch.01
    1.4sec                ftp://ftp.isc.org/isc/inn/patches/security-patch.02
    1.4unoff3, 1.4unoff4  ftp://ftp.isc.org/isc/inn/patches/security-patch.03

    THEN apply (1.5.1, 1.5, 1.4sec, 1.4unoff3, 1.4unoff4)

        ftp://ftp.isc.org:/isc/inn/patches/security-patch.04

    After installing any  of the patches  or updates, ensure  that you
    restart your INN server.

    Vendor notices and patches for this vulnerability (for now):

    NEC Corporation

    Products below are  shipped with INN  mentioned in this  advisory,
    so they are vulnerable and patches are in progress.

        Goah/NetworkSV R1.2     vulnerable
        Goah/NetworkSV R2.2     vulnerable
        Goah/NetworkSV R3.1     vulnerable
        Goah/IntraSV R1.1       vulnerable

    Red Hat Linux

    There  is  a  critical  security  hole  in  INN  which affects all
    versions of  Red Hat  Linux. A  new version,  inn-1.5.1-6, is  now
    available for Red Hat Linux 4.0 and 4.1 for all platforms. If  you
    are running an earlier version  of Red Hat, we strongly  encourage
    you  to  upgrade  to  4.1  as  soon  as possible, as many critical
    security  fixes  have  been  made.  The  new version of inn is PGP
    signed with the  Red Hat PGP  key, which is  available on all  Red
    Hat CDROMs, ftp.redhat.com, and public keyservers.

    You may upgrade to the new version as follows:

    Red Hat 4.1
    -----------

    i386:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/inn-1.5.1-6.i386.rpm

    alpha:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/inn-1.5.1-6.alpha.rpm

    SPARC:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/inn-1.5.1-6.sparc.rpm

    Red Hat 4.0

    i386:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/inn-1.5.1-6.i386.rpm

    alpha:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/alpha/inn-1.5.1-6.alpha.rpm

    SPARC:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/sparc/inn-1..5.1-6.sparc.rpm

    After installing any  of the patches  or updates, ensure  that you
    restart your INN server.