CVE-2018-19518

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

References

https://www.openwall.com/lists/oss-security/2018/11/22/3

https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php

https://bugs.php.net/bug.php?id=77160

https://bugs.php.net/bug.php?id=77153

https://bugs.php.net/bug.php?id=76428

https://bugs.debian.org/913836

https://bugs.debian.org/913835

https://bugs.debian.org/913775

https://antichat.com/threads/463395/#post-4254681

http://www.securitytracker.com/id/1042157

http://www.securityfocus.com/bid/106018

https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb

https://www.exploit-db.com/exploits/45914/

https://www.debian.org/security/2018/dsa-4353

https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html

https://security.netapp.com/advisory/ntap-20181221-0004/

https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html

https://usn.ubuntu.com/4160-1/

https://security.gentoo.org/glsa/202003-57

https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html

Details

Source: MITRE

Published: 2018-11-25

Updated: 2021-12-29

Type: CWE-88

Risk Information

CVSS v2

Base Score: 8.5

Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 6.8

Severity: HIGH

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.6

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from 7.2.0 to 7.2.12 (inclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from 7.0.0 to 7.0.32 (inclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from 7.1.0 to 7.1.24 (inclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from 5.6.0 to 5.6.38 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:uw-imap_project:uw-imap:2007f:*:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
156391Debian DLA-2866-1 : uw-imap - LTS security updateNessusDebian Local Security Checks
high
139998EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1895)NessusHuawei Local Security Checks
high
139151EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1821)NessusHuawei Local Security Checks
high
134965GLSA-202003-57 : PHP: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
130149Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : UW IMAP vulnerability (USN-4160-1)NessusUbuntu Local Security Checks
high
122821PHP 7.0.x < 7.0.33 Multiple vulnerabilitiesNessusCGI abuses
high
122548Debian DLA-1700-1 : uw-imap security updateNessusDebian Local Security Checks
high
98884PHP 7.3.x < 7.3.0 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
high
98883PHP 7.2.x < 7.2.13 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
high
98882PHP 7.1.x < 7.1.25 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
high
98881PHP 7.0.x < 7.0.33 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
high
98880PHP 5.6.x < 5.6.39 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
high
121132Amazon Linux AMI : php56 / php70,php71,php72 (ALAS-2019-1147)NessusAmazon Linux Local Security Checks
high
120854Fedora 28 : php (2018-dfe1f0bac6)NessusFedora Local Security Checks
high
120566Fedora 29 : php (2018-7ebfe1e6f2)NessusFedora Local Security Checks
high
120177SUSE SLES12 Security Update : Recommended update for php5 (SUSE-SU-2018:3995-1)NessusSuSE Local Security Checks
high
120176SUSE SLES12 Security Update : Recommended update for php7 (SUSE-SU-2018:3988-1)NessusSuSE Local Security Checks
high
119766PHP 7.2.x < 7.2.13 Multiple vulnerabilitiesNessusCGI abuses
high
119765PHP 7.1.x < 7.1.25 Multiple vulnerabilitiesNessusCGI abuses
high
119764PHP 5.6.x < 5.6.39 Multiple vulnerabilitiesNessusCGI abuses
high
119695Debian DLA-1608-1 : php5 security updateNessusDebian Local Security Checks
high
119570openSUSE Security Update : php7 (openSUSE-2018-1507)NessusSuSE Local Security Checks
high
119569openSUSE Security Update : php5 (openSUSE-2018-1506)NessusSuSE Local Security Checks
high
119561Debian DSA-4353-1 : php7.0 - security updateNessusDebian Local Security Checks
high
119455SUSE SLES11 Security Update : Recommended update for php53 (SUSE-SU-2018:3986-1)NessusSuSE Local Security Checks
high
111217PHP 7.3.0 [alpha|beta] < 7.3.0 Multiple vulnerabilitiesNessusCGI abuses
high