INND Daemon Vulnerabilities
Impact
Versions of innd, up to including version 1.5.1, have a variety of vulnerabilities.
Background
The following problems have been reported:
- INN (versions 1.5.1and earlier) passes metacommands to the ucbmail mailer without sufficient filtering. The mailer, which lacks sufficient checks for shell metacharacters, passes the unchecked data to a shell for processing. A remote attacker could send malicious metacharacters and execute arbitrary commands on the INN server.
- It is possible to pass malicious data to the innd daemon causing system commands to be executed by the owner of the daemon.
Resolution
Upgrade to the most recent version of INN (1.5.1 or newer). If upgrading to 1.5.1, then also apply the patch. Upgrade information is available on the Internet Software Consortium ISC web site.
Reference (2):
CERT CA-97.08
INN home page