Detections
Analytics

Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : PHPMailer vulnerabilities (USN-5956-1)

critical Nessus Plugin ID 172589

Language:

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5956-1 advisory.

 - The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \ (backslash double quote) in a crafted Sender property. (CVE-2016-10033)

 - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. (CVE-2016-10045)

 - PHPMailer 5.2.23 has XSS in the From Email Address and To Email Address fields of code_generator.php.
 (CVE-2017-11503)

 - An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory. (CVE-2017-5223)

 - PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. (CVE-2018-19296)

 - PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message. (CVE-2020-13625)

 - PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
 (CVE-2021-3603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected libphp-phpmailer package.

See Also

https://ubuntu.com/security/notices/USN-5956-1

Plugin Details

Severity: Critical

ID: 172589

File Name: ubuntu_USN-5956-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 3/15/2023

Updated: 10/20/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-10045

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:16.04:-:esm, cpe:/o:canonical:ubuntu_linux:18.04:-:esm, cpe:/o:canonical:ubuntu_linux:20.04:-:esm, cpe:/o:canonical:ubuntu_linux:22.04:-:esm, p-cpe:/a:canonical:ubuntu_linux:libphp-phpmailer

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/15/2023

Vulnerability Publication Date: 12/25/2016

Exploitable With

Core Impact

Metasploit (WordPress PHPMailer Host Header Command Injection)

Reference Information

CVE: CVE-2016-10033, CVE-2016-10045, CVE-2017-11503, CVE-2017-5223, CVE-2018-19296, CVE-2020-13625, CVE-2021-3603

USN: 5956-1