#VU11823 Command injection in Heirloom mailx and BSD mailx - CVE-2014-7844


Vulnerability identifier: #VU11823

Vulnerability risk: Low

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-7844

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Heirloom mailx
Web applications / Webmail solutions
BSD mailx
Web applications / Webmail solutions

Vendor: Heirloom Project
FreeBSD Foundation

Description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists due to improper handling of the parsing of email addresses. A remote attacker can execute arbitrary commands through the direct command execution functionality.

Mitigation
Update BSD mailx to version 8.1.2.20160123.

Vulnerable software versions

Heirloom mailx: 12.0 - 12.5

BSD mailx: 8.1.2

External links
https://seclists.org/oss-sec/2014/q4/1066

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Command injection in heirloom-mailx (Alpine package)
Gentoo update for mailx
Slackware Linux update for mailx
Debian update for heirloom-mailx
Debian update for bsd-mailx
Amazon Linux AMI update for mailx
Ubuntu update for bsd-mailx
Red Hat update for mailx