Re: [courier-users] Bash shell security issue - CVE-2014-6271
Brought to you by:
mrsam
Menu
▾
▴
Re: [courier-users] Bash shell security issue - CVE-2014-6271
|
From: Ángel G. <an...@16...> - 2014-09-25 20:16:41
|
Wolfgang Jeltsch wrote: > Hi, > > thank you very much for this information. > > Has there been any new insight into how Courier is affected by this bug? > > And is Courier affected by the “follow-up” CVE-2014-7169? > > All the best, > Wolfgang Any program which allows untrusted variable contents into the environment and can be made to spawn a bash descendant is "affected". (Actually, they are not affected themselves, they are used to trigger the bug in bash) CVE-2014-6271 and CVE-2014-7169 are the same in this respect, so the new vulnerability doesn't change the affected status (although the later is harder to exploit doing something useful, while with 6271 it was straightforward). > Can the bug be exploited via ways other than default files? courier performs uses a lot of environment variables. It seems very easy to add one of those broken variables to the environment. If you then use a bash shell script at some point, then you would be affected. The easiest way for that is if you have a .courier* file, or maildrop that executes a program (the "|something" delivery) and either it is (or spawns) a bash shell script, or the user shell is bash. Other ways of being affected include directly having a shell script as /usr/bin/sendmail or manually inserting a bash script in the chain of courier commands. Also remember that dash is not affected by these bugs, if you have a system account with bash as shell, changing its shell to dash will reduce the attack surface. Making /bin/sh point to something other than bash will help, too (be aware that some shell scripts using bashisms wrongly declare that they will run with /bin/sh, though). Best regards |
