CVE-2018-19518
Published: 25 November 2018
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
From the Ubuntu Security Team
It was discovered that UW IMAP incorrectly handled inputs. A remote attacker could possibly use this issue to execute arbitrary OS commands.
Notes
| Author | Note |
|---|---|
| mdeslaur | php5 in precise and trusty doesn't build imap, it is in a separate php-imap source package. |
| msalvatore | uw-imap has been defunct since 2008. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
php-imap Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Released
(5.4.6-0ubuntu5.1)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
php5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
php7.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(7.0.33)
|
|
| xenial |
Released
(7.0.33-0ubuntu0.16.04.1)
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
php7.2 Launchpad, Ubuntu, Debian |
bionic |
Released
(7.2.15-0ubuntu0.18.04.1)
|
| cosmic |
Released
(7.2.15-0ubuntu0.18.20.1)
|
|
| disco |
Released
(7.2.15-0ubuntu2)
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(7.2.13)
|
|
| xenial |
Does not exist
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
php7.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Not vulnerable
(7.3.4-2)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(7.3.0)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=336d2086a9189006909ae06c7e95902d7d5ff77e |
||
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
uw-imap Launchpad, Ubuntu, Debian |
bionic |
Released
(8:2007f~dfsg-5ubuntu0.18.04.2)
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Released
(8:2007f~dfsg-5ubuntu0.19.04.2)
|
|
| eoan |
Not vulnerable
(8:2007f~dfsg-6)
|
|
| focal |
Not vulnerable
(8:2007f~dfsg-6)
|
|
| groovy |
Not vulnerable
(8:2007f~dfsg-6)
|
|
| hirsute |
Not vulnerable
(8:2007f~dfsg-6)
|
|
| impish |
Not vulnerable
(8:2007f~dfsg-6)
|
|
| jammy |
Not vulnerable
(8:2007f~dfsg-6)
|
|
| trusty |
Released
(8:2007f~dfsg-2ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(8:2007f~dfsg-6)
|
|
| xenial |
Released
(8:2007f~dfsg-4+deb8u1build0.16.04.1)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.openwall.com/lists/oss-security/2018/11/22/3
- https://antichat.com/threads/463395/#post-4254681
- https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
- https://ubuntu.com/security/notices/USN-4160-1
- https://www.cve.org/CVERecord?id=CVE-2018-19518
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914632
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913775
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913835
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913836
- https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1803657
- https://bugs.php.net/bug.php?id=76428
- https://bugs.php.net/bug.php?id=77153
- https://bugs.php.net/bug.php?id=77160