Security vulnerability in SpamAssassin filter module
The SpamAssassin Milter plug-in which plugs in to Milter and calls SpamAssassin, contains a security vulnerability which can be exploited by attackers using a crafted email to inject and execute code on a mail server. The SpamAssassin Milter plug-in is frequently used to run SpamAssassin on Postfix servers.
In order to exploit the vulnerability, the plug-in must be called with the -x expand flag. For attackers to obtain root privileges, as the author of the security advisory proclaims, the plug-in has to be started as root – something which is anyway highly inadvisable. The attack occurs via a specially crafted recipient (RCPT TO) and is therefore unable to succeed if the plug-in only receives emails addressed to defined addresses.
The Internet Storm Center reports that the vulnerability is already being actively exploited online. To be on the safe side, Postfix administrators who use SpamAssassin should check their configurations. The developers are working on a patch.
See also:
- Spamassassin Milter Plugin Remote Root, Full Disclosure post.
- SpamAssassin Milter Plugin - Fehler: bug #29136, discussion about a patch.
- Apache Software Foundation releases SpamAssassin 3.3.0, a report from The H.
(crve)