Ubuntu.comUB:CVE-2018-19518CVE-2018-19518
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.7%
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open()
in PHP and other products, launches an rsh command (by means of the
imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in
osdep/unix/tcp_unix.c) without preventing argument injection, which might
allow remote attackers to execute arbitrary OS commands if the IMAP server
name is untrusted input (e.g., entered by a user of a web application) and
if rsh has been replaced by a program with different argument semantics.
For example, if rsh is a link to ssh (as seen on Debian and Ubuntu
systems), then the attack can use an IMAP server name containing a
“-oProxyCommand” argument.
Bugs
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914632>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913775>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913835>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913836>
- <https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1803657>
- <https://bugs.php.net/bug.php?id=76428>
- <https://bugs.php.net/bug.php?id=77153>
- <https://bugs.php.net/bug.php?id=77160>
Notes
| Author | Note |
|---|---|
| mdeslaur | php5 in precise and trusty doesn’t build imap, it is in a separate php-imap source package. |
| msalvatore | uw-imap has been defunct since 2008. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 14.04 | noarch | php-imap | < 5.4.6-0ubuntu5.1 | UNKNOWN |
| ubuntu | 16.04 | noarch | php7.0 | < 7.0.33-0ubuntu0.16.04.1 | UNKNOWN |
| ubuntu | 18.04 | noarch | php7.2 | < 7.2.15-0ubuntu0.18.04.1 | UNKNOWN |
| ubuntu | 18.10 | noarch | php7.2 | < 7.2.15-0ubuntu0.18.20.1 | UNKNOWN |
| ubuntu | 19.04 | noarch | php7.2 | < 7.2.15-0ubuntu2 | UNKNOWN |
| ubuntu | 18.04 | noarch | uw-imap | < 8:2007f~dfsg-5ubuntu0.18.04.2 | UNKNOWN |
| ubuntu | 19.04 | noarch | uw-imap | < 8:2007f~dfsg-5ubuntu0.19.04.2 | UNKNOWN |
| ubuntu | 14.04 | noarch | uw-imap | < 8:2007f~dfsg-2ubuntu0.1~esm1 | UNKNOWN |
| ubuntu | 16.04 | noarch | uw-imap | < 8:2007f~dfsg-4+deb8u1build0.16.04.1 | UNKNOWN |
References
antichat.com/threads/463395/#post-4254681
github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
launchpad.net/bugs/cve/CVE-2018-19518
nvd.nist.gov/vuln/detail/CVE-2018-19518
security-tracker.debian.org/tracker/CVE-2018-19518
ubuntu.com/security/notices/USN-4160-1
www.cve.org/CVERecord?id=CVE-2018-19518
www.openwall.com/lists/oss-security/2018/11/22/3
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.7%