I'm passing this on for Patrice Fournier who is not around today. ------------------------------------------------------------------------------ HylaFAX security advisory 4 Jan 2006 Subject: HylaFAX hfaxd and notify/faxrcvd vulnerabilities Introduction: HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX. See http://www.hylafax.org Problem Descriptions and Impact: 1. HylaFAX hfaxd will allow any password when compiled with PAM support disabled. Only HylaFAX version 4.2.3 is vulnerable. This vulnerability was mentioned by Dileep on the hylafax-users mailing list on December 12, was picked up and confirmed by Lee Horward and a fix was provided the same day by Todd Lipcon. The fix was committed to CVS-HEAD on December 15. This hfaxd PAM vulnerability has been assigned CVE-2005-3538 2. HylaFAX notify script passes unsanitised user-supplied data to eval, allowing remote attackers to execute arbitrary commands. The data needs to be part of a submitted job and as such, attackers must have access to submit faxes to the server in order to exploit this vulnerability. HylaFAX versions 4.2.0 up to 4.2.3 are vulnerable. Prior version used a awk notify script that was not vulnerable. This vulnerability was discovered and fixed by Patrice Fournier of iFAX Solutions, Inc. HylaFAX faxrcvd script also passes unsanitised user-supplied data to eval, allowing remote attackers to execute arbitrary commands. CallID (CIDName/CIDNumber) must be configured on the server and the attackers must have access to submit non alphanumeric characters as CallID data (which may not be possible for most configuration) in order to exploit this vulnerability. HylaFAX versions 4.2.2 and 4.2.3 are vulnerable. Prior version didn't support a variable number of CallID parameters. These vulnerabilities were discovered and fixed by Patrice Fournier of iFAX Solutions, Inc. The fix was committed to CVS-HEAD on January 4. These script vulnerabilities have been assigned CVE-2005-3539 Status: HylaFAX.org has released HylaFAX version 4.2.4 which includes changes to fix each of these problems. All HylaFAX users are strongly encouraged to upgrade. The HylaFAX 4.2.4 source code is available at ftp://ftp.hylafax.org/source/hylafax-4.2.4.tar.gz In the event that upgrading to 4.2.4 is not appropriate, the patches to fix those vulnerabilities are available at the following bug reports: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=682 http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719 If PAM support is NOT enabled and upgrading or patching is not possible, firewalling techniques restricting access to port 4559 are strongly encouraged. As the patches to faxrcvd and notify are simple changes to shell scripts, you should apply those patches in either case. No abuse of these vulnerabilities is known to HylaFAX development. Thanks, The vendor-sec mailing list was notified on 21st December, and HylaFAX CVS-HEAD was updated on 15 December for the PAM-disabled login vulnerability and on 4 January for the other two vulnerabilities. Patrice Fournier HylaFAX developer