I'm passing this on for Patrice Fournier who is not around today.
------------------------------------------------------------------------------

HylaFAX security advisory
4 Jan 2006

Subject:  HylaFAX hfaxd and notify/faxrcvd vulnerabilities

Introduction:

HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages.  It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.  See http://www.hylafax.org


Problem Descriptions and Impact:

1. HylaFAX hfaxd will allow any password when compiled with PAM support
disabled.

Only HylaFAX version 4.2.3 is vulnerable. 

This vulnerability was mentioned by Dileep <dileep@networkgulf.com>
on the hylafax-users mailing list on December 12, was picked up and 
confirmed by Lee Horward and a fix was provided the same day by Todd
Lipcon. The fix was committed to CVS-HEAD on December 15.

This hfaxd PAM vulnerability has been assigned CVE-2005-3538

2. HylaFAX notify script passes unsanitised user-supplied data to eval,
allowing remote attackers to execute arbitrary commands. The data needs to be
part of a submitted job and as such, attackers must have access to submit faxes
to the server in order to exploit this vulnerability.

HylaFAX versions 4.2.0 up to 4.2.3 are vulnerable. Prior version used
a awk notify script that was not vulnerable. This vulnerability was
discovered and fixed by Patrice Fournier of iFAX Solutions, Inc.

HylaFAX faxrcvd script also passes unsanitised user-supplied data to eval,
allowing remote attackers to execute arbitrary commands. CallID 
(CIDName/CIDNumber) must be configured on the server and the attackers
must have access to submit non alphanumeric characters as CallID data
(which may not be possible for most configuration) in order to exploit
this vulnerability.

HylaFAX versions 4.2.2 and 4.2.3 are vulnerable. Prior version didn't support a
variable number of CallID parameters. These vulnerabilities were discovered and
fixed by Patrice Fournier of iFAX Solutions, Inc. The fix was committed to
CVS-HEAD on January 4.

These script vulnerabilities have been assigned CVE-2005-3539


Status:

HylaFAX.org has released HylaFAX version 4.2.4 which includes changes
to fix each of these problems.  All HylaFAX users are strongly
encouraged to upgrade.  The HylaFAX 4.2.4 source code is available at

   ftp://ftp.hylafax.org/source/hylafax-4.2.4.tar.gz

In the event that upgrading to 4.2.4 is not appropriate, the patches to
fix those vulnerabilities are available at the following bug reports:

   http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=682
   http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=719

If PAM support is NOT enabled and upgrading or patching is not possible,
firewalling techniques restricting access to port 4559 are strongly
encouraged. As the patches to faxrcvd and notify are simple changes to
shell scripts, you should apply those patches in either case.

No abuse of these vulnerabilities is known to HylaFAX development.

Thanks,

The vendor-sec mailing list was notified on 21st December, and HylaFAX
CVS-HEAD was updated on 15 December for the PAM-disabled login
vulnerability and on 4 January for the other two vulnerabilities.

Patrice Fournier
HylaFAX developer