Bug 968844 – VUL-0: CVE-2016-1531: exim: local privilege escalation for set-uid root exim when using 'perl_startup'

Bug 968844 - (CVE-2016-1531) VUL-0: CVE-2016-1531: exim: local privilege escalation for set-uid root exim when using 'perl_startup'

(CVE-2016-1531)
Summary:	VUL-0: CVE-2016-1531: exim: local privilege escalation for set-uid root exim ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-03-01 07:40 UTC by Andreas Stieger
Modified:	2016-03-11 15:21 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Andreas Stieger 2016-03-01 07:47:51 UTC

No further details available just yet. openSUSE only.

Comment 2 Swamp Workflow Management 2016-03-01 23:00:15 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2016-03-02 20:22:27 UTC

https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html

Security fix for CVE-2016-1531
==============================

All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally *any* user) can gain root
privileges.

New options
-----------

We had to introduce two new configuration options:

    keep_environment =
    add_environment =

Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on.

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.

    keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

    add_environment = <; PATH=/sbin:/usr/sbin


New behaviour
-------------

Now Exim changes it's working directory to / right after startup,
even before reading it's configuration. (Later Exim changes it's working
directory to $spool_directory, as usual.)

Exim only accepts an absolute configuration file path now, when using
the -C option.




Fixed in:

    Version             Git tag
    ---------------------------------
    Exim 4.84.2         exim-4_84_2
    Exim 4.85.2         exim-4_85_2
    Exim 4.86.2         exim-4_86_2
    Exim 4.87 RC 5      exim-4_87_RC5



https://github.com/Exim/exim/commit/bc3c7bb7d4aba3e563434e5627fe1f2176aa18c0

Comment 4 Andreas Stieger 2016-03-02 20:29:20 UTC

CVSSv2 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

openSUSE is affected:
> %verify(not mode) %attr(4755,root,root) /usr/sbin/exim

Comment 5 Lars Müller 2016-03-02 20:51:31 UTC

Fixes are ready and come in the next hour.

Comment 6 Lars Müller 2016-03-02 21:33:14 UTC

https://build.opensuse.org/request/show/364994  openSUSE Leap 42.1 + 13.2
https://build.opensuse.org/request/show/364997  openSUSE Tumbleweed

Comment 7 Andreas Stieger 2016-03-02 21:47:27 UTC

Given the behavioral changes, do you think that standard setups will experience breakage upon update?

Which instructions should we give them, and is there anything in the configuration and scripts that we ship that needs to be adjusted?

Comment 8 Lars Müller 2016-03-03 11:11:11 UTC

https://build.opensuse.org/request/show/365214  openSUSE Leap 42.1 + 13.2
https://build.opensuse.org/request/show/365211  openSUSE Tumbleweed

Comment 9 Lars Müller 2016-03-03 11:23:30 UTC

(In reply to Andreas Stieger from comment #7)
> Given the behavioral changes, do you think that standard setups will
> experience breakage upon update?

It might still work without further interaction.

> Which instructions should we give them, and is there anything in the
> configuration and scripts that we ship that needs to be adjusted?

Heiko Schlittermann <hs () schlittermann de> wrote:

### partial quote start

New options
-----------

We had to introduce two new configuration options:

    keep_environment =
    add_environment =

Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on. This may affect used
libraries (e.g. LDAP).

** THIS MAY BREAK your existing installation **

If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).

keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.

    keep_environment = ^LDAP_ : FOO_PATH

To add (or override) variables, you can use add_environment:

    add_environment = <; PATH=/sbin:/usr/sbin

### partial quote end

See also for example http://seclists.org/oss-sec/2016/q1/501

Comment 10 Swamp Workflow Management 2016-03-11 13:16:20 UTC

openSUSE-SU-2016:0721-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 968844
CVE References: CVE-2016-1531
Sources used:
openSUSE Leap 42.1 (src):    exim-4.86.2-8.1
openSUSE 13.2 (src):    exim-4.86.2-3.10.1

Comment 11 Andreas Stieger 2016-03-11 15:21:23 UTC

closing