Note: The red stoplight in this tutorial indicates the highest possible severity level for innd vulnerabilities. The severity level of this particular instance is indicated next to the link to this page on the previous screen. If there is a red dot, then your version of innd has a critical vulnerability and needs to be upgraded. If there is a brown dot, then it could not be determined whether or not your system has the needed patches, and further investigation is required. Read the explanation below.
The first vulnerability in innd is a buffer overflow condition in the code which processes a cancel request to the control newsgroup. A remote attacker could execute arbitrary code by sending the server a message with specially crafted Message-ID and From fields. This vulnerability is only exploitable if the verifycancels option is enabled in the innd.conf file.
The second vulnerability we will discuss involves the INN daemon (or, innd process). The INN daemon processes "newsgroup" and "rmgroup" control messages in a shell script, the name of which is parsecontrol, that uses the shell's eval command. It is possible to pass information to the eval command in the body of a news message (such information may be actual commands which will be executed on the system). This is possible due to the fact that the information passed to eval, in certain circumstances, is not adequately checked for characters that are special to the shell.
This means, of course, that anyone who is able to send messages to an INN server, almost anyone with Usenet access, may potentially be able to execute arbitrary commands on the server on which INN resides. These commands will run with the uid and privileges of the innd process on that server (thus, if innd runs as root, any arbitrary commands will execute with root privileges). As these specially formatted news messages are usually passed right through a firewall to a news server, systems hosting innd behind a firewall are still vulnerable to this type of attack. Also, as the commands are executed before the system does authorization checking, programs such as pgpverify will not prevent this problem.
The third vulnerability we will discuss is similar to, but not the same as, the vulnerability discussed above. This problem is found in INN and also in ucbmail (a program typically configured as INN's default mailer). As in the vulnerability described above, this problem also concerns specially formatted messages which contain, in the body of the message, certain shell "metacharacters". Normally, INN will perform checks for, and remove, these metacharacters from data in control messages. However, in certain circumstances these checks are inadequate, and these metacharacters are passed on "as-is" to the ucbmail mailer program. ucbmail, which lacks the capability to do metacharacter checking, passes these metacharacters on to the shell, where they are processed. Using these metacharacters, a malicious user may have the ability to execute commands on the system hosting INN. For instance, the user may decide to overwrite the system's password file, run background processes that collect information or even, in worst case scenarios, delete the contents of that system's root file system.
If the version of INN that is being run is earlier than 2.2.3, then ensure that the verifycancels option is disabled in your innd.conf file. This action will remedy the first vulnerability; however, if your version is earlier than 1.6 you are still affected by the other vulnerabilities. The surest fix if your version is earlier than 1.6 is to upgrade to the latest version. You may always find the latest version of INN at the Internet Software Consortium's (ISC) INN Site. ISC is the primary developer of INN.
If it is not practical to upgrade to version 1.6 or later at this time, and you are running a version of INN prior to version 1.5.1, then it is strongly recommended that you at least upgrade to version 1.5.1 (this link will take you to the ISC ftp site, which is often reorganized as newer versions of INN are released. If you need any help navigating through this site, please contact ISC). When upgrading to version 1.5.1, please be sure to read the README file carefully. Once you have upgraded to version 1.5.1, you must then install Security-Patch.05. This patch will protect your INN installation from the vulnerabilities discussed in this brief, and others as well. However, it would be wise to visit the ISC INN site from time to time to keep abreast of any emerging security issues relating to INN version 1.5.1, and also to download and install any relevant patches that may become available.
If you choose not to upgrade to either version 1.5.1, 1.6 or a later version of INN, please be aware that you will be vulnerable to certain exploits. Patches are available for some versions earlier than 1.5.1, but not all (for example, INN version 1.4sec2 has no patch for the exploits discussed above). These patches may be found at the ISC INN site. And, as always, it is always a good idea to check with your appropriate OS vendor to learn about any OS-specific security issues.