ID CVE-2004-0884
Summary The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
References
Vulnerable Configurations
  • cpe:2.3:a:cyrus:sasl:1.5.24
    cpe:2.3:a:cyrus:sasl:1.5.24
  • cpe:2.3:a:cyrus:sasl:1.5.27
    cpe:2.3:a:cyrus:sasl:1.5.27
  • cpe:2.3:a:cyrus:sasl:1.5.28
    cpe:2.3:a:cyrus:sasl:1.5.28
  • cpe:2.3:a:cyrus:sasl:2.1.9
    cpe:2.3:a:cyrus:sasl:2.1.9
  • cpe:2.3:a:cyrus:sasl:2.1.10
    cpe:2.3:a:cyrus:sasl:2.1.10
  • cpe:2.3:a:cyrus:sasl:2.1.11
    cpe:2.3:a:cyrus:sasl:2.1.11
  • cpe:2.3:a:cyrus:sasl:2.1.12
    cpe:2.3:a:cyrus:sasl:2.1.12
  • cpe:2.3:a:cyrus:sasl:2.1.13
    cpe:2.3:a:cyrus:sasl:2.1.13
  • cpe:2.3:a:cyrus:sasl:2.1.14
    cpe:2.3:a:cyrus:sasl:2.1.14
  • cpe:2.3:a:cyrus:sasl:2.1.15
    cpe:2.3:a:cyrus:sasl:2.1.15
  • cpe:2.3:a:cyrus:sasl:2.1.16
    cpe:2.3:a:cyrus:sasl:2.1.16
  • cpe:2.3:a:cyrus:sasl:2.1.17
    cpe:2.3:a:cyrus:sasl:2.1.17
  • cpe:2.3:a:cyrus:sasl:2.1.18
    cpe:2.3:a:cyrus:sasl:2.1.18
  • cpe:2.3:a:cyrus:sasl:2.1.18_r1
    cpe:2.3:a:cyrus:sasl:2.1.18_r1
  • Conectiva Linux 9.0
    cpe:2.3:o:conectiva:linux:9.0
  • Conectiva Linux 10.0
    cpe:2.3:o:conectiva:linux:10.0
CVSS
Base: 7.2 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2005-003.NASL
    description The remote host is missing Security Update 2005-003. This security update contains security fixes for the following applications : - AFP Server - Bluetooth Setup Assistant - Core Foundation - Cyrus IMAP - Cyrus SASL - Folder Permissions - Mailman - Safari These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 17587
    published 2005-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17587
    title Mac OS X Multiple Vulnerabilities (Security Update 2005-003)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-546.NASL
    description Updated cyrus-sasl packages that fix a setuid and setgid application vulnerability are now available. [Updated 7th October 2004] Revised cryus-sasl packages have been added for Red Hat Enterprise Linux 3; the patch in the previous packages broke interaction with ldap. The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. At application startup, libsasl and libsasl2 attempts to build a list of all available SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable. In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0884 to this issue. Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 15441
    published 2004-10-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15441
    title RHEL 2.1 / 3 : cyrus-sasl (RHSA-2004:546)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_CYRUS_SASL_1528_3.NASL
    description The following package needs to be updated: cyrus-sasl
    last seen 2016-09-26
    modified 2004-10-18
    plugin id 15495
    published 2004-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15495
    title FreeBSD : cyrus-sasl -- dynamic library loading and set-user-ID applications (35)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200410-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200410-05 (Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities) Cyrus-SASL contains a remote buffer overflow in the digestmda5.c file. Additionally, under certain conditions it is possible for a local user to exploit a vulnerability in the way the SASL_PATH environment variable is honored (CAN-2004-0884). Impact : An attacker might be able to execute arbitrary code with the Effective ID of the application calling the Cyrus-SASL libraries. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 15431
    published 2004-10-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15431
    title GLSA-200410-05 : Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-106.NASL
    description A vulnerability was discovered in the libsasl library of cyrus-sasl. libsasl honors the SASL_PATH environment variable blindly, which could allow a local user to create a malicious 'library' that would get executed with the effective ID of SASL when anything calls libsasl. The provided packages are patched to protect against this vulnerability.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 15435
    published 2004-10-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15435
    title Mandrake Linux Security Advisory : cyrus-sasl (MDKSA-2004:106)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_92268205194711D9BC4A000C41E2CDAD.NASL
    description The Cyrus SASL library, libsasl, contains functions which may load dynamic libraries. These libraries may be loaded from the path specified by the environmental variable SASL_PATH, which in some situations may be fully controlled by a local attacker. Thus, if a set-user-ID application (such as chsh) utilizes libsasl, it may be possible for a local attacker to gain superuser privileges.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 37777
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37777
    title FreeBSD : cyrus-sasl -- dynamic library loading and set-user-ID applications (92268205-1947-11d9-bc4a-000c41e2cdad)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-332.NASL
    description At application startup, libsasl and libsasl2 attempt to build a list of all SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable. In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0884 to this issue. Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 15454
    published 2004-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15454
    title Fedora Core 2 : cyrus-sasl-2.1.18-2.2 (2004-332)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-563.NASL
    description This advisory is an addition to DSA 563-1 and 563-2 which weren't able to supersede the library on sparc and arm due to a different version number for them in the stable archive. Other architectures were updated properly. Another problem was reported in connection with sendmail, though, which should be fixed with this update as well.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 15661
    published 2004-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15661
    title Debian DSA-563-3 : cyrus-sasl - unsanitised input
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-568.NASL
    description A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. The MIT version of the Cyrus implementation of the SASL library provides bindings against MIT GSSAPI and MIT Kerberos4.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 15666
    published 2004-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15666
    title Debian DSA-568-1 : cyrus-sasl-mit - unsanitised input
oval via4
accepted 2013-04-29T04:15:18.355-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
family unix
id oval:org.mitre.oval:def:11678
status accepted
submitted 2010-07-09T03:56:16-04:00
title The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.
version 23
redhat via4
advisories
rhsa
id RHSA-2004:546
refmap via4
apple APPLE-SA-2005-03-21
bid 11347
bugtraq 20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl)
ciac P-003
confirm http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657
debian
  • DSA-563
  • DSA-568
fedora FLSA:2137
gentoo GLSA-200410-05
mandrake MDKSA-2004:106
trustix 2004-0053
xf cyrus-sasl-saslpath(17643)
Last major update 17-10-2016 - 22:49
Published 27-01-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top