Rapid7 Vulnerability & Exploit Database

CESA-2003:008: mgetty security update

Back to Search

CESA-2003:008: mgetty security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
01/17/2003
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

Updated Mgetty packages are now available to fix a possible buffer overflow and a permissions problem.

Mgetty is a getty replacement for use with data and fax modems. Mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Versions of Mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of Mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. All users of Mgetty should upgrade to these errata packages, which contain Mgetty 1.1.30 and are not vulnerable to these issues.

Solution(s)

  • centos-upgrade-mgetty
  • centos-upgrade-mgetty-sendfax
  • centos-upgrade-mgetty-viewfax
  • centos-upgrade-mgetty-voice

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;