Hello all,
I recently learned of a vulnerability where an arbitrary command can be
executed by root if the body of an email passed to `mail` contains unsanitized
~! or ~| escapes. This vulnerability currently exists when `mail` is used with
fail2ban, CVE-2021-32749 [1], but may exist with other mailutils integrations.
I searched for a way to disable ~! and ~| escapes in mail, but there doesn't
seem to be a runtime or build option to do this. I would like to suggest that
this option be included in the core of mailutils to make it easy for sysadmins
to secure their networks. I'm not sure how often people use tilde escape
sequences, but we might even consider disabling them by default.
Gentoo has included a backport patch that disables escapes in non-interactive
mode in mailutils in their distro [2]. It would be great if something like this
were included in upstream mailutils.
In the meantime, I have updated all the scripts I use on my servers to filter
escapes in message content like this:
echo "$potentiallyunsafe" | sed 's/~[|!]//g' | mail -s "This is safer"
u...@example.com
This is only a partial fix, because I can only filter content to programs that
I have control over; ideally I would like to disable escapes for `mail`
entirely, system-wide.
[1] https://research.securitum.com/fail2ban-remote-code-execution/
[2] https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ba91eed
Regards,
Quinn
