First published: Thu Jun 03 2010(Updated: )
Dan Rosenberg reported that when exim is used with a world-writable mail directory, with the sticky-bit set, local users could create hard-links to other non-root users' files in the mailbox storage directory, causing files to be overwritten upon mail delivery. This could be used to create a denial of service condition or potentially escalate privileges to those of targeted users. Further information is available from the upstream bug report [1] and this has been fixed upstream in exim 4.72 [2]. [1] <a href="http://bugs.exim.org/show_bug.cgi?id=988">http://bugs.exim.org/show_bug.cgi?id=988</a> [2] <a href="http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.24&r2=1.25">http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.24&r2=1.25</a> The /var/spool/mail directory on Red Hat Enterprise Linux and Fedora is mode 0755 and owned root:mail. As a result, this is not exploitable by default.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
sa-exim | =4.70 | |
sa-exim | =4.69 | |
sa-exim | =4.66 | |
sa-exim | =4.10 | |
sa-exim | =4.24 | |
sa-exim | =4.30 | |
sa-exim | =4.21 | |
sa-exim | =4.51 | |
sa-exim | =4.67 | |
sa-exim | =4.63 | |
sa-exim | =4.43 | |
sa-exim | =4.22 | |
sa-exim | =4.40 | |
sa-exim | =4.52 | |
sa-exim | =4.60 | |
sa-exim | =4.61 | |
sa-exim | =4.68 | |
sa-exim | =4.54 | |
sa-exim | =4.23 | |
sa-exim | =4.62 | |
sa-exim | =4.32 | |
sa-exim | =4.42 | |
sa-exim | =4.31 | |
sa-exim | =4.44 | |
sa-exim | =4.64 | |
sa-exim | =4.41 | |
sa-exim | =4.20 | |
sa-exim | =4.65 | |
sa-exim | =4.53 | |
sa-exim | =4.33 | |
sa-exim | =4.50 | |
sa-exim | <=4.71 | |
sa-exim | =4.34 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2010-2023 has a moderate severity rating as it can lead to denial of service due to file overwriting.
To fix CVE-2010-2023, ensure that the mail directory is not world-writable and does not have the sticky bit set.
CVE-2010-2023 affects Exim versions up to and including 4.71.
CVE-2010-2023 is primarily a local privilege escalation vulnerability, requiring local user access to exploit.
CVE-2010-2023 can allow local users to overwrite files in other users' mailboxes, potentially leading to data loss.