Bug #32753
closedCVE-2021-3584: Remote code execution through Sendmail configuration
Description
Sendmail location and arguments, available via Administer - Settings,
both accept arbitrary strings and pass them into shell.
By default, only Foreman super administrator can access settings.
Mitigation: Verify the both settings and remove edit_settings
permissions to all roles and users until fixed. Alternatively, create
settings named sendmail_location and sendmail_arguments in settings.yaml
file to override the UI and make the values read-only.
Solution: Limit the possible values for location to just expected paths.
Use shellescaping for arguments as there is currently no way to pass
arguments to the 'mail' gem in a safely manner.
Files
Updated by Lukas Zapletal almost 4 years ago
- Private changed from Yes to No
- Pull request https://github.com/theforeman/foreman/pull/8599 added
Embargo lifted.
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Category set to Settings
- Assignee set to Lukas Zapletal
- Target version set to 2.5.1
That's not what I intended to do ...
Updated by Lukas Zapletal almost 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|c83d799eee3d10d27d9e7d5900232b9e979e4a21.