Headline
CVE-2021-32749: fixed possible RCE vulnerability, unset escape variable (default tild… · fail2ban/fail2ban@410a6ce
fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command mail
from mailutils package used in mail actions like mail-whois
can execute command if unescaped sequences (\n~
) are available in “foreign” input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert malicious characters into the response sent by the whois server, either via a MITM attack or by taking over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid the usage of action mail-whois
or patch the vulnerability manually.
Expand Up @@ -16,7 +16,7 @@ norestored = 1 actionstart = printf %%b “Hi,\n The jail <name> has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>” <dest> Fail2Ban"|mail -E ‘set escape’ -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) Expand All @@ -25,7 +25,7 @@ actionstart = printf %%b “Hi,\n actionstop = printf %%b “Hi,\n The jail <name> has been stopped.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>” <dest> Fail2Ban"|mail -E ‘set escape’ -s "[Fail2Ban] <name>: stopped on <fq-hostname>” <dest>
# Option: actioncheck # Notes.: command executed once before each actionban command Expand All @@ -43,7 +43,7 @@ actionban = printf %%b “Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>” <dest> Fail2Ban"|mail -E ‘set escape’ -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the Expand Down
Related news
Gentoo Linux Security Advisory 202310-13 - A vulnerability has been discovered in Mailutils where escape sequences are processed in a context where this may lead to RCE. Versions greater than or equal to 3.12-r3 are affected.