==================================================================== CERT-Renater Note d'Information No. 2012/VULN225 ____________________________________________________________________ DATE : 23/05/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running RT versions prior to 3.8.12, 4.0.6. ====================================================================== http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000205.html ______________________________________________________________________ Internal audits of the RT codebase have uncovered a number of security vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0. The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following: The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the `vulnerable-passwords` tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability. RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability. RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability. All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability. We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications. RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities. RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability. RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability. In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at this link: http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc 37e49809e28f1f48313a25b4abf3acd2e863fc26 security-2012-05-22.tar.gz 87be1fad89e078d49a146e8594eb64a78368b7cb security-2012-05-22.tar.gz.asc The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information. - Alex ______________________________________________________________________ This release of RT contains important bugfixes and security updates. You can download it from: http://download.bestpractical.com/pub/rt/release/rt-3.8.12.tar.gz http://download.bestpractical.com/pub/rt/release/rt-3.8.12.tar.gz.sig SHA1 sums aa657de2fd687c51f31216df6dc1f639a0bc1f7c rt-3.8.12.tar.gz 1da5db780c40455ceeb9a6099364f2bb977271a6 rt-3.8.12.tar.gz.sig This release, in addition to being a bugfix release, also resolves a number of security vulnerabilities. It resolves CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, and CVE-2011-4460. * Upgrade prototype.js to version 1.7, for compatibility with google charts. * Remove ie7.js, which is no longer used. * Ensure that TransactionBatch scripts are only run once. A complete changelog is available from git by running: git log rt-3.8.11..rt-3.8.12 - Alex ______________________________________________________________________ RT 4.0.6 contains important security fixes, in addition to bugfixes. http://download.bestpractical.com/pub/rt/release/rt-4.0.6.tar.gz http://download.bestpractical.com/pub/rt/release/rt-4.0.6.tar.gz.sig SHA1 sums f5c0dd16da21f0af8e9c093057aa58cbab08d06b rt-4.0.6.tar.gz 1f862bbb1b335cd036d1c32c10d80f26e4ce99a1 rt-4.0.6.tar.gz.sig This release, in addition to being a bugfix release, also resolves a number of security vulnerabilities. It resolves CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, and CVE-2011-4460. * Remove CSS3PIE, which simply added rounded corners on IE7 and IE8, as it was causing numerous crashes of IE. * Show the current status in the status dropdown during ticket update, to allow forced setting of the status. This functionality was available in RT 3.8, and is now being reinstated. * Use SearchBuilder queue limits to restrict what statuses and owners are displayed in drop-downs. * Make "New Ticket" a top-level SelfService menu item. * Display Lifecycle column correctly in queue admin lists. * Allow >64k attributes on MySQL; this is particularly useful for logos uploaded via the theming editor. * Remove two dependencies from the RT mailgate. * Adding new arbitrary links to tickets now works as expected in the REST interface. * Subject: lines in Forward Ticket templates are now respected. * Sort ticket link numbers numerically, not alphabetically. * Ticket reminders are no longer copied when creating a linked ticket; article and http:// links now are, however. * Use relative links (with no hostname) more consistently. * Correctly deal with non-ASCII attachment filenames which make use of MIME parameter value continuations. * Find queue-level CFs first in REST interface when there are duplicates by name. * Fix graphing of searches which reference Updated and other transaction-based limits. * Reminder statuses on open and resolve are now configurable per-lifecycle. * Fix quoting of CF names containing dashes and the like in the SearchBuilder. * Bump URI dependency to ensure utf8 URLs are correclty generated in Dashboard emails. * Permit and language attributes when scrubbing HTML. A complete changelog is available from git by running: git log rt-4.0.5..rt-4.0.6 - Alex ______________________________________________________________________ On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote: > In addition to releasing RT versions 3.8.12 and 4.0.6 which address > these issues, we have also collected patches for all releases of 3.8 and 4.0 > into a distribution available for download at this link: > > http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz > http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc It has been brought to our attention that the patchset requires version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling: Could not send mail with command `[...]`: Can't locate object method "FILENO" via package "FCGI::Stream" RT 3.8.11 and 4.0.5 already require version 0.75 or higher, to ensure that you are protected from CVE-2011-2766, which affects mod_fastcgi: http://lists.bestpractical.com/pipermail/rt-announce/2011-October/000196.html - Alex ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================