Bug #32753
CVE-2021-3584: Remote code execution through Sendmail configuration
Description
Sendmail location and arguments, available via Administer - Settings,
both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.
Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.
Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.
Related issues
Associated revisions
History
#1
Updated by Lukas Zapletal almost 2 years ago
- Description updated (diff)
- File sendmail-32753-a.patch sendmail-32753-a.patch added
#2
Updated by Lukas Zapletal almost 2 years ago
- File sendmail-32753-b.patch sendmail-32753-b.patch added
#3
Updated by Lukas Zapletal almost 2 years ago
- Private changed from Yes to No
- Pull request https://github.com/theforeman/foreman/pull/8599 added
Embargo lifted.
#4
Updated by The Foreman Bot almost 2 years ago
- Status changed from New to Ready For Testing
#5
Updated by Ewoud Kohl van Wijngaarden almost 2 years ago
- Target version deleted (
2.5.1) - Assignee deleted (
Lukas Zapletal) - Category deleted (
Security) - Found in Releases 1.15.0 added
#6
Updated by Ewoud Kohl van Wijngaarden almost 2 years ago
- Target version set to 2.5.1
- Assignee set to Lukas Zapletal
- Category set to Settings
That's not what I intended to do ...
#7
Updated by The Foreman Bot almost 2 years ago
- Fixed in Releases 3.0.0 added
#8
Updated by Tomer Brisker almost 2 years ago
- Fixed in Releases 2.4.1, 2.5.1 added
#9
Updated by Ewoud Kohl van Wijngaarden almost 2 years ago
- Related to Bug #32827: Set sendmail location and arguments via puppet/installer added
#10
Updated by Lukas Zapletal almost 2 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|c83d799eee3d10d27d9e7d5900232b9e979e4a21.
Fixes #32753 - Remote code execution through Sendmail
CVE-2021-3584: Sendmail location and arguments, available via Administer
- Settings, both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.
Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.
Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.