Bug #32753
closed
CVE-2021-3584: Remote code execution through Sendmail configuration
Description
Sendmail location and arguments, available via Administer - Settings,
both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.
Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.
Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.
Files
Updated by Lukas Zapletal almost 4 years ago
- File sendmail-32753-a.patch sendmail-32753-a.patch added
- Description updated (diff)
Updated by Lukas Zapletal almost 4 years ago
- File sendmail-32753-b.patch sendmail-32753-b.patch added
Updated by Lukas Zapletal almost 4 years ago
- Private changed from Yes to No
- Pull request https://github.com/theforeman/foreman/pull/8599 added
Embargo lifted.
Updated by The Foreman Bot almost 4 years ago
- Status changed from New to Ready For Testing
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Category deleted (
Security) - Assignee deleted (
Lukas Zapletal) - Target version deleted (
2.5.1) - Found in Releases 1.15.0 added
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Category set to Settings
- Assignee set to Lukas Zapletal
- Target version set to 2.5.1
That's not what I intended to do ...
Updated by Tomer Brisker almost 4 years ago
- Fixed in Releases 2.4.1, 2.5.1 added
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Related to Bug #32827: Set sendmail location and arguments via puppet/installer added
Updated by Lukas Zapletal almost 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|c83d799eee3d10d27d9e7d5900232b9e979e4a21.