SquirrelMail up to 1.4.1 ypmatch map_yp_alias privileges management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in SquirrelMail up to 1.4.1. It has been classified as critical. Affected by this issue is the function map_yp_alias of the component ypmatch. Performing a manipulation results in privileges management.
This vulnerability is identified as CVE-2009-1381. There is not any exploit available.
Upgrading the affected component is recommended.
Details
A vulnerability was found in SquirrelMail up to 1.4.1 (Mail Client Software). It has been classified as critical. This affects the function map_yp_alias of the component ypmatch. The manipulation with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579.
The bug was discovered 05/21/2009. The weakness was released 05/22/2009 by Tomas Hoger as not defined posting (Bugtraq). It is possible to read the advisory at securityfocus.com. This vulnerability is uniquely identified as CVE-2009-1381 since 04/23/2009. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 67865 (Oracle Linux 3 / 4 / 5 : squirrelmail (ELSA-2009-1066)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks and running in the context l.
Upgrading to version 1.2.6-rc1 eliminates this vulnerability. A possible mitigation has been published 5 days after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (50825), Tenable (67865), SecurityFocus (BID 34916†), OSVDB (54506†) and Secunia (SA35140†). Entries connected to this vulnerability are available at VDB-4141, VDB-48184, VDB-48183 and VDB-48182. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Privileges managementCWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 67865
Nessus Name: Oracle Linux 3 / 4 / 5 : squirrelmail (ELSA-2009-1066)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 64037
OpenVAS Name: Debian Security Advisory DSA 1802-2 (squirrelmail)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: SquirrelMail 1.2.6-rc1
Timeline
04/23/2009 🔍05/12/2009 🔍
05/20/2009 🔍
05/21/2009 🔍
05/22/2009 🔍
05/22/2009 🔍
05/22/2009 🔍
05/24/2009 🔍
05/27/2009 🔍
07/12/2013 🔍
03/17/2015 🔍
09/04/2019 🔍
Sources
Advisory: securityfocus.com⛔Researcher: Tomas Hoger
Status: Not defined
CVE: CVE-2009-1381 (🔍)
GCVE (CVE): GCVE-0-2009-1381
GCVE (VulDB): GCVE-100-48291
OVAL: 🔍
X-Force: 50825
SecurityFocus: 34916 - SquirrelMail Prior to 1.4.18 Multiple Vulnerabilities
Secunia: 35140
OSVDB: 54506 - SquirrelMail map_yp_alias function command execution
Vulnerability Center: 22140 - SquirreMail Prior to 1.4.19-1 Remote Arbitrary code Execution Vulnerability via Shell Metacharacters, High
See also: 🔍
Entry
Created: 03/17/2015 23:38Updated: 09/04/2019 16:52
Changes: 03/17/2015 23:38 (81), 09/04/2019 16:52 (4)
Complete: 🔍
Cache ID: 216:02B:103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.