Bug 1654228 (CVE-2018-19518)

Summary: CVE-2018-19518 php: imap_open() allows running arbitrary shell commands via mailbox parameter
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.2.13, php 7.1.25, php 7.0.33, php 5.6.38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1655004, 1654230    
Bug Blocks: 1654231    

Description Andrej Nemec 2018-11-28 10:03:15 UTC
IMAP Toolkit 2007f, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

References:

https://www.openwall.com/lists/oss-security/2018/11/22/3

Upstream issue:

https://bugs.php.net/bug.php?id=77153

Comment 1 Andrej Nemec 2018-11-28 10:04:00 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1654230]

Comment 2 Tomas Hoger 2018-11-29 08:50:03 UTC
This can not affect PHP packages provided for Red Hat Enterprise Linux 7, either directly via Red Hat Enterprise Linux 7, or via Red Hat Software Collections for Red Hat Enterprise Linux 7, as those packages do not include the affected imap extension.

In Red Hat Enterprise Linux 6, the php-imap package providing the imap extension is only distributed via the unsupported Optional repository.

Comment 3 Tomas Hoger 2018-11-29 22:09:33 UTC
The PHP packages included in the Red Hat Software Collections for Red Hat Enterprise Linux 6 provide imap extension (again packages in the *-php-imap sub-packages).  However, the extension requires libc-client package (IMAP client implementation, which is part of the the UW IMAP project), which is only available via unsupported Optional repository for Red Hat Enterprise Linux 6.

Comment 4 Tomas Hoger 2018-11-29 22:13:39 UTC
Upstream commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=336d2086a9189006909ae06c7e95902d7d5ff77e

The above commit includes the following addition to the UPGRADING documentation file:

- IMAP:
  Starting with 7.2.13, rsh/ssh logins are disabled by default. Use
  imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
  library does not filter mailbox names before passing them to rsh/ssh
  command, thus passing untrusted data to this function with rsh/ssh enabled
  is insecure.

This fix is being added to PHP 7.2.13, 7.1.25, 7.0.33, and 5.6.38.

Comment 5 Tomas Hoger 2018-11-29 22:55:33 UTC
The UW IMAP c-client library, which is used by the PHP imap extension, tries multiple methods when requested to connect to an IMAP server.  Those methods include an attempt to establish rsh or ssh connection to the server and starting an IMAP daemon in a pre-authenticated mode.  When constructing these rsh or ssh commands, the library does not attempt to sanitize provided server name in any way, which makes it possible to inject additional options to these commands, which can eventually lead to arbitrary command execution, e.g. when setting ProxyCommand for ssh.

The c-client library builds in Red Hat Enterprise Linux and Fedora only define default path for the rsh command.  There is no default path specified for the ssh command.  Due to that ssh is not used unless path to the command is explicitly configured, which can be done by adding 'set ssh-path /usr/bin/ssh' to /etc/c-client.cf configuration file, or to ~/.imaprc if support for user configuration files is enabled in the global system configuration.  Such configuration is not default on Red Hat Enterprise Linux or Fedora, and does not seem very likely either.

This flaw was reported to have a worse impact on Debian and Ubuntu systems, where rsh is a symlink to ssh by default.  Hence when the c-client attempts to execute rsh, the ssh is actually executed.  As noted above, there's no special configuration required for rsh to be executed, it only depends on the provided connection string.

On Red Hat Enterprise Linux, rsh can be executed if it is installed.  Malicious IMAP server name can be used to inject additional rsh command line options, but the rsh command only accepts very few options, none of which allows command execution in a similar way to ssh's ProxyCommand.  It is possible to achieve code execution via ssh command if ssh-path is configured as noted above.

Lowering impact rating, as on Red Hat Enterprise Linux affected configurations are unlikely.

Comment 6 Tomas Hoger 2018-11-29 23:04:52 UTC
Not all uses of the PHP imap extension are affected, even when using untrusted server names.  These can also provide mitigation to affected configurations.

* The c-client library will not use rsh or ssh when /norsh flag is specified in the mailbox name argument to the imap_open() function.  See PHP documentation for more details on how flags are specified: http://php.net/manual/en/function.imap-open.php

* rsh/ssh is also not used when /ssl or /tls flags are specified, or when port is explicitly specified.

* Proper validation of server names can be used to prevent this flaw.  However, addition of /norsh flag as noted above is likely to be an easier fix in most cases.

* If imap extension is not needed, remove all installed php-imap packages.