Rapid7 Vulnerability & Exploit Database

USN-2455-1: bsd-mailx vulnerability

Free InsightVM Trial No credit card necessary

Watch Demo See how it all works

Back to Search

USN-2455-1: bsd-mailx vulnerability

Severity

CVSS

(AV:L/AC:L/Au:N/C:C/I:C/A:C)

Published

01/07/2015

Created

07/25/2018

Added

01/09/2015

Modified

07/09/2020

Description

It was discovered that bsd-mailx contained a feature that allowedsyntactically valid email addresses to be treated as shell commands. Aremote attacker could possibly use this issue with a valid email address toexecute arbitrary commands. This functionality has now been disabled by default, and can be re-enabledwith the "expandaddr" configuration option. This update alone does notremove all possibilities of command execution. In environments wherescripts use mailx to process arbitrary email addresses, it is recommendedto modify them to use a "--" separator before the address to properlyhandle those that begin with "-". In addition, specifying sendmail optionsafter the "--" separator is no longer supported, existing scripts may needto be modified to use the "-a" option instead. The problem can be corrected by updating your system to the following package version: To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. CVE-2014-7844

Solution(s)

ubuntu-upgrade-bsd-mailx

References

https://attackerkb.com/topics/cve-2014-7844
CVE - 2014-7844
USN-2455-1

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;