INND Daemon Vulnerabilities
Impact
Versions of
innd, up to including version 1.5.1, have a variety
of vulnerabilities.
Background
The following problems have been reported:
- INN (versions 1.5.1and earlier) passes metacommands to the ucbmail mailer
without sufficinet filtering.
The mailer, which lacks sufficient checks for shell metacharacters, passes the unchecked data to a shell for processing. A remote attacker could send malicious metacharacters and execute arbitrary commands on the INN server.
- It is possible to pass malicious data to the innd daemon causing
system commands to be executed by the owner of the daemon.
Resolution
Upgrade to the most recent version of INN (1.5.1 or newer). If upgrading to
1.5.1, then also apply the
patch.
Upgrade information is available on the Internet Software Consortium ISC
web site.
Reference(2):