Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 76168 - mail-filter/spamassassin: spamd listening on all interfaces by default
Summary: mail-filter/spamassassin: spamd listening on all interfaces by default
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-30 12:31 UTC by Andreas Niess
Modified: 2005-01-30 10:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Niess 2004-12-30 12:31:11 UTC 
/etc/conf.d/spamd:
SPAMD_OPTS="-i -m 5 -c -H"

spamd should only listen on localhost by default:
SPAMD_OPTS="-m 5 -c -H"


Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Dan Margolis (RETIRED) gentoo-dev 2004-12-30 13:03:48 UTC 
He's right. The latest config--which I hadn't merged yet--specifies -i. 

Anyone? Beuller? Anyone?
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-12-31 05:03:14 UTC 
This isn't a security bug.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-02 10:43:35 UTC 
Kurt: it's not a vulnerability, but I would agree it's a default config that can be tightened, so it's a "Default config" security bug.

Perl team : please comment on the configuration chnage
Comment 4 Malte S. Stretz 2005-01-16 11:01:35 UTC 
That option was added by me to the sample config file; I wasn't sure if I wanted to keep it but then forgot to re-evaluate the flag before I submitted the new ebuild.

The background:  With -i spamd does indeed listen on all interfaces.  But it won't accept any connections from there.  You have to allow clients by adding a additional -A switches.

I added the switch because even me as a dev was confused when I tried to access a spamd from two different servers, added the -As and nothing worked nevertheless ;~)

Normally this wouldn't have any security issues though I don't know how this plays together with bug 64133.  Feel free to remove that switch.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 01:05:32 UTC 
I suppose that the bug 64133 vulnerability (DoS by timeout) requires accepted connections, and what you say tend to prove that spamd won't accept them unless you have the corresponding -A flag.

Krispy (or someone else with a spamd setup): could you test if you can still attack remotely using the PoC on bug 64133 with a setup that listens to all interfaces but just accepts from localhost.
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-01-17 09:02:20 UTC 
The default configuration allows to DoS from remote.

In order to fix that, we need to get back to the old config:
SPAMD_OPTS="-m 5 -c -H"
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 09:10:37 UTC 
So this config change does not play nice with bug 64133.
Perl team, please fix default configuration as it is now vulnerable by default.
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2005-01-24 07:39:14 UTC 
conf changed
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 07:01:46 UTC 
Michael: revbumping at least the 3.0.2 and the 2.64 version so that people upgrading can merge the fix would be a good idea.
Comment 10 Michael Cummings (RETIRED) gentoo-dev 2005-01-30 06:10:06 UTC 
Sorry for the delay, bump in progress (soon as my cvs connection resolves itself)
Comment 11 Michael Cummings (RETIRED) gentoo-dev 2005-01-30 06:13:32 UTC 
ok, commited, though after signing the manifest i realized there was no reason to bump 2.64 - it was the conf for 3.x that was the bug. So any SA 2.64 users out there who stumble on this bug - sorry about that folks
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-30 10:33:53 UTC 
Bug fixed, thanks Michael.