Alert: If you're running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found

This is nuts


Updated Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.

Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That's the latest version, by the way, and is dated July 2011.

The bug is a classic failure to sanitize user input, a shortcoming that makes it possible for authenticated attackers to execute arbitrary and malicious shell commands on a remote server running the vulnerable webmail software. The programming blunder is exploitable only in cases where SquirrelMail has been configured with Sendmail as the main transport.

Cavallarin went public with the bug, along with proof-of-concept exploit code, last week in a post to the Full Disclosure mailing list.

In response, Golunski – who had independently discovered the same vulnerability – went public with his own advisory about the same problem on Saturday. He said he reported the vulnerability to SquirrelMail at the start of the year, and was allocated CVE-2017-5181 for the as-yet unresolved flaw.

As a temporary workaround, users can configure their systems to not use Sendmail, Golunski recommends. ®

Updated to add

Developer Paul Lesniewski has been in touch to say the problem, which he reckons is not as serious at first blush, is getting resolved. He criticised one of the researchers for jumping the gun and publishing an advisory, adding that pressing personal issues have prevented him – as sole developer – from resolving the issue more quickly.

SquirrelMail version 1.5.2 as well as version 1.4.22 are vulnerable but patched versions 1.4.23-svn and 1.5.2-svn are now available. Exploitation even on unlatched systems relies on poor configuration and pre-established access to the system, according to Lesniewski.

"In order to exploit the bug, a malicious user would need to have already gained control over a mail account by other means, SquirrelMail would need to be configured to allow users to change their outgoing email address (we recommend keeping this disabled), the user would need to determine the location of the attachments directory (by gaining shell access or making guesses), the permissions on said directory and files would need to allow access by other processes (by default this will usually be the case, but prudent admins will exert more stringent access controls) and of course, SquirrelMail needs to be configured to send via Sendmail and not SMTP (default is SMTP)," Lesniewski said.

"My hope is that Good Administrators would have sensible system configurations that make this exploit unworkable. That doesn't mean the bug should not be fixed, and it has been."

Fixes are available at: https://sourceforge.net/p/squirrelmail/code/14649 https://sourceforge.net/p/squirrelmail/code/14650.

Broader topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Vivaldi email client released 7 years after first announcement
    Multiple accounts, local storage, calendars, and feeds make it worth the wait

    Browser maker Vivaldi's email client has finally hit version 1.0, seven years after it was first announced.

    Vivaldi Mail, which includes a calendar and feed reader as well as an email client, first arrived in technical preview in 2020. A slightly wobbly beta arrived last year alongside version 4 of the Chromium-based browser. After another year of polish and tidying of loose ends, the company has declared the client ready.

    As before, the client is built into the browser, meaning it is unlikely to appeal to many beyond Vivaldi's existing user base. Enabling it is a simple matter of dropping into Settings pages and wading through until the option to enable Mail, Calendar, and Feeds can be selected. Vivaldi has a lot of settings – delightfully customizable for some and downright baffling for others.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading

Biting the hand that feeds IT © 1998–2022