BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address.

The remote host is affected by the vulnerability described in GLSA-201804-06 (mailx: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in mailx. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary commands.
  Workaround :

    There is no known workaround at this time.

CVE-2014-7844 The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell meta characters in an email address.

CVE-2004-2771 A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).

Impact

A local attacker can cause mailx to execute arbitrary shell commands through shell meta-characters. These attacks require a trusted user with shell access to the system in question.

New mailx packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.5. The installed version is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185)
 - apache_mod_php (CVE-2015-2783, CVE-2015-2787, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148)
 - Apple ID OD Plug-in (CVE-2015-3799)
 - AppleGraphicsControl (CVE-2015-5768)
 - Bluetooth (CVE-2015-3777, CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787)
 - bootp (CVE-2015-3778)
 - CloudKit (CVE-2015-3782)
 - CoreMedia Playback (CVE-2015-5777, CVE-2015-5778)
 - CoreText (CVE-2015-5761, CVE-2015-5755)
 - curl (CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150, CVE-2014-8151, CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153)
 - Data Detectors Engine (CVE-2015-5750)
 - Date & Time pref pane (CVE-2015-3757)
 - Dictionary Application (CVE-2015-3774)
 - DiskImages (CVE-2015-3800)
 - dyld (CVE-2015-3760)
 - FontParser (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
 - groff (CVE-2009-5044, CVE-2009-5078)
 - ImageIO (CVE-2015-5758, CVE-2015-5781, CVE-2015-5782)
 - Install Framework Legacy (CVE-2015-5784, CVE-2015-5754)
 - IOFireWireFamily (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
 - IOGraphics (CVE-2015-3770, CVE-2015-5783)
 - IOHIDFamily (CVE-2015-5774)
 - Kernel (CVE-2015-3766, CVE-2015-3768, CVE-2015-5747, CVE-2015-5748, CVE-2015-3806, CVE-2015-3803, CVE-2015-3802, CVE-2015-3805, CVE-2015-3776, CVE-2015-3761)
 - Libc (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
 - Libinfo (CVE-2015-5776)
 - libpthread (CVE-2015-5757)
 - libxml2 (CVE-2014-0191, CVE-2014-3660, CVE-2015-3807)
 - libxpc (CVE-2015-3795)
 - mail_cmds (CVE-2014-7844)
 - Notification Center OSX (CVE-2015-3764)
 - ntfs (CVE-2015-5763)
 - OpenSSH (CVE-2015-5600)
 - OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792)
 - perl (CVE-2013-7422)
 - PostgreSQL (CVE-2014-0067, CVE-2014-8161, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244)
 - python (CVE-2013-7040, CVE-2013-7338, CVE-2014-1912, CVE-2014-7185, CVE-2014-9365)
 - QL Office (CVE-2015-5773, CVE-2015-3784)
 - Quartz Composer Framework (CVE-2015-5771)
 - Quick Look (CVE-2015-3781)
 - QuickTime 7 (CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
 - SceneKit (CVE-2015-5772, CVE-2015-3783)
 - Security (CVE-2015-3775)
 - SMBClient (CVE-2015-3773)
 - Speech UI (CVE-2015-3794)
 - sudo (CVE-2013-1775, CVE-2013-1776, CVE-2013-2776, CVE-2013-2777, CVE-2014-0106, CVE-2014-9680)
 - tcpdump (CVE-2014-8767, CVE-2014-8769, CVE-2014-9140)
 - Text Formats (CVE-2015-3762)
 - udf (CVE-2015-3767)

 Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple ID OD Plug-in
  - AppleGraphicsControl
  - Bluetooth
  - bootp
  - CloudKit
  - CoreMedia Playback
  - CoreText
  - curl
  - Data Detectors Engine
  - Date & Time pref pane
  - Dictionary Application
  - DiskImages
  - dyld
  - FontParser
  - groff
  - ImageIO
  - Install Framework Legacy
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - Kernel
  - Libc
  - Libinfo
  - libpthread
  - libxml2
  - libxpc
  - mail_cmds
  - Notification Center OSX
  - ntfs
  - OpenSSH
  - OpenSSL
  - perl
  - PostgreSQL
  - python
  - QL Office
  - Quartz Composer Framework
  - Quick Look
  - QuickTime 7
  - SceneKit
  - Security
  - SMBClient
  - Speech UI
  - sudo
  - tcpdump
  - Text Formats
  - udf 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the 'mail' command :

CVE-2004-2771

mailx interprets interprets shell meta-characters in certain email addresses.

CVE-2014-7844

An unexpected feature of mailx treats syntactically valid email addresses as shell commands to execute.

Shell command execution can be re-enabled using the 'expandaddr' option.

Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the '--' separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke 'mail
-t' or 'sendmail -i -t' instead, passing the recipient addresses as part of the mail header.

For the oldstable distribution (squeeze), these problems have been fixed in version 12.4-2+deb6u1.

We recommend that you upgrade your heirloom-mailx packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that bsd-mailx, an implementation of the 'mail' command, had an undocumented feature which treats syntactically valid email addresses as shell commands to execute.

Users who need this feature can re-enable it using the 'expandaddr' in an appropriate mailrc file. This update also removes the obsolete -T option. An older security vulnerability, CVE-2004-2771, had already been addressed in the Debian's bsd-mailx package.

Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the '--' separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke 'mail
-t' or 'sendmail -i -t' instead, passing the recipient addresses as part of the mail header.

For the oldstable distribution (squeeze), this problem has been fixed in version 8.1.2-0.20100314cvs-1+deb6u1.

We recommend that you upgrade your bsd-mailx packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated nail package fixes security vulnerabilities :

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality (CVE-2004-2771, CVE-2014-7844).

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771 , CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

It was discovered that bsd-mailx contained a feature that allowed syntactically valid email addresses to be treated as shell commands. A remote attacker could possibly use this issue with a valid email address to execute arbitrary commands.

This functionality has now been disabled by default, and can be re-enabled with the 'expandaddr' configuration option. This update alone does not remove all possibilities of command execution. In environments where scripts use mailx to process arbitrary email addresses, it is recommended to modify them to use a '--' separator before the address to properly handle those that begin with '-'.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2004-2771, CVE-2014-7844

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This mailx update fixes the following security issue :

bsc#909208: shell command injection via crafted email addresses (CVE-2004-2771, CVE-2014-7844)

This mailx update fixes the following security issues :

  - Shell command injection via crafted email addresses.
    (CVE-2004-2771 / CVE-2014-7844). (bnc#909208)

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771, CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

Updated mailx packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The mailx packages contain a mail user agent that is used to manage mail using scripts.

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771, CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

All mailx users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

From Red Hat Security Advisory 2014:1999 :

Updated mailx packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The mailx packages contain a mail user agent that is used to manage mail using scripts.

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
(CVE-2004-2771, CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with '-' (so that they can be confused with mailx options). To counteract this issue, this update also introduces the '--' option, which will treat the remaining command line arguments as email addresses.

All mailx users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the 'mail' command :

  - CVE-2004-2771     mailx interprets shell meta-characters in certain email     addresses.

  - CVE-2014-7844     An unexpected feature of mailx treats syntactically     valid email addresses as shell commands to execute.

Shell command execution can be re-enabled using the 'expandaddr'option.

Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the-- separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invokemail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header.

It was discovered that bsd-mailx, an implementation of the 'mail' command, had an undocumented feature which treats syntactically valid email addresses as shell commands to execute.

Users who need this feature can re-enable it using the 'expandaddr' in an appropriate mailrc file. This update also removes the obsolete-T option. An older security vulnerability, CVE-2004-2771, had already been addressed in the Debian's bsd-mailx package.

Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the-- separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invokemail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header.

ID	Name	Product	Family	Severity
108927	GLSA-201804-06 : mailx: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
99238	F5 Networks BIG-IP : Mailx vulnerabilities (K16945)	Nessus	F5 Networks Local Security Checks	high
89084	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : mailx (SSA:2016-062-01)	Nessus	Slackware Local Security Checks	high
8981	Mac OS X < 10.10.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
82098	Debian DLA-114-1 : heirloom-mailx security update	Nessus	Debian Local Security Checks	high
82097	Debian DLA-113-1 : bsd-mailx security update	Nessus	Debian Local Security Checks	high
80430	Mandriva Linux Security Advisory : nail (MDVSA-2015:011)	Nessus	Mandriva Local Security Checks	high
80418	Amazon Linux AMI : mailx (ALAS-2015-467)	Nessus	Amazon Linux Local Security Checks	high
80413	Ubuntu 14.04 LTS : bsd-mailx vulnerability (USN-2455-1)	Nessus	Ubuntu Local Security Checks	high
80345	Fedora 19 : mailx-12.5-9.fc19 (2014-17277)	Nessus	Fedora Local Security Checks	high
80344	Fedora 20 : mailx-12.5-11.fc20 (2014-17245)	Nessus	Fedora Local Security Checks	high
80343	Fedora 21 : mailx-12.5-14.fc21 (2014-17243)	Nessus	Fedora Local Security Checks	high
80274	openSUSE Security Update : mailx (openSUSE-SU-2014:1713-1)	Nessus	SuSE Local Security Checks	high
80251	SuSE 11.3 Security Update : mailx (SAT Patch Number 10096)	Nessus	SuSE Local Security Checks	high
80075	Scientific Linux Security Update : mailx on SL6.x, SL7.x i386/x86_64 (20141216)	Nessus	Scientific Linux Local Security Checks	high
80074	RHEL 6 / 7 : mailx (RHSA-2014:1999)	Nessus	Red Hat Local Security Checks	high
80071	Oracle Linux 6 / 7 : mailx (ELSA-2014-1999)	Nessus	Oracle Linux Local Security Checks	high
80058	Debian DSA-3105-1 : heirloom-mailx - security update	Nessus	Debian Local Security Checks	high
80057	Debian DSA-3104-1 : bsd-mailx - security update	Nessus	Debian Local Security Checks	high
80056	CentOS 6 / 7 : mailx (CESA-2014:1999)	Nessus	CentOS Local Security Checks	high

Detections

Analytics

CVE-2014-7844

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high