Project

General

Profile

Bug #32753

CVE-2021-3584: Remote code execution through Sendmail configuration

Added by Lukas Zapletal about 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
High
Category:
Settings
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Sendmail location and arguments, available via Administer - Settings,
both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.

Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.

Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.

sendmail-32753-a.patch sendmail-32753-a.patch 3.38 KB Lukas Zapletal, 06/09/2021 06:57 AM
sendmail-32753-b.patch sendmail-32753-b.patch 4.52 KB Lukas Zapletal, 06/10/2021 01:32 PM

Related issues

Related to Installer - Bug #32827: Set sendmail location and arguments via puppet/installerClosed

Associated revisions

Revision c83d799e (diff)
Added by Lukas Zapletal about 1 month ago

Fixes #32753 - Remote code execution through Sendmail

CVE-2021-3584: Sendmail location and arguments, available via Administer
- Settings, both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.

Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.

Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.

History

#1 Updated by Lukas Zapletal about 2 months ago

#3 Updated by Lukas Zapletal about 2 months ago

  • Private changed from Yes to No
  • Pull request https://github.com/theforeman/foreman/pull/8599 added

Embargo lifted.

#4 Updated by The Foreman Bot about 2 months ago

  • Status changed from New to Ready For Testing

#5 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Target version deleted (2.5.1)
  • Assignee deleted (Lukas Zapletal)
  • Category deleted (Security)
  • Found in Releases 1.15.0 added

#6 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Target version set to 2.5.1
  • Assignee set to Lukas Zapletal
  • Category set to Settings

That's not what I intended to do ...

#7 Updated by The Foreman Bot about 1 month ago

  • Fixed in Releases 3.0.0 added

#8 Updated by Tomer Brisker about 1 month ago

  • Fixed in Releases 2.4.1, 2.5.1 added

#9 Updated by Ewoud Kohl van Wijngaarden about 1 month ago

  • Related to Bug #32827: Set sendmail location and arguments via puppet/installer added

#10 Updated by Lukas Zapletal about 1 month ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF