[rt-announce] Security vulnerabilities in RT

Alex Vandiver alexmv at bestpractical.com
Thu Oct 25 17:44:10 EDT 2012

We have determined a number of security vulnerabilities which affect
both RT 3.8.x and RT 4.0.x.  We are releasing RT versions 3.8.15 and
4.0.8, and RTFM version 2.4.5, to resolve these vulnerabilities, as well
as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.15, 4.0.8, and the below patches
include the following:

All versions of RT are vulnerable to an email header injection attack.
Users with ModifySelf or AdminUser can cause RT to add arbitrary headers
or content to outgoing mail.  Depending on the scrips that are
configured, this may be be leveraged for information leakage or
phishing.  We have been assigned CVE-2012-4730 for this vulnerability;
we would like to thank Scott MacVicar for bringing this matter to our

RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due
to lack of proper rights checking, allowing any privileged user to
create Articles in any class.  We have been assigned CVE-2012-4731 for
this vulnerability.

All versions of RT with cross-site-request forgery (CSRF) protection (RT
3.8.12 and above, RT 4.0.6 and above, and any instances running the
security patches released 2012-05-22) contain a vulnerability which
incorrectly allows though CSRF requests which toggle ticket bookmarks.
We have been assigned CVE-2012-4732 for this vulnerability; we would
like to thank Matthew Astley for bringing this to our attention.

Additionally, all versions of RT are vulnerable to a confused deputy
attack on the user.  While not strictly a CSRF attack, users who are not
logged in who are tricked into following a malicious link may, after
supplying their credentials, be subject to an attack which leverages
their credentials to modify arbitrary state.  While users who were
logged in would have observed the CSRF protection page, users who were
not logged in receive no such warning due to the intervening login
process.  RT has been extended to notify users of pending actions during
the login process.  We have been assigned CVE-2012-4734 for this
vulnerability; we would like to thank Matthew Astley for bringing this
to our attention.

RT 3.8.0 and above are susceptible to a number of vulnerabilities
concerning improper signing or encryption of messages using GnuPG; if
GnuPG is not enabled, none of the following affect you.  We have been
assigned CVE-2012-4735 for the following related vulnerabilities:

  * When using GnuPG, RT now clarifies the concepts of signing for
    _integrity_ and signing for _authentication_, which are separate
    (and exclusive) concepts.  Previously, enabling the "Sign by
    default" queue configuration began signing automatically-generated
    messages with the queue's key, in addition to defaulting emails sent
    from the web UI to being signed.  This provides integrity, but
    causes emails signed with that key to no longer possess
    authenticity; no individual email is guaranteed to have come from an
    actor designated to act for that key, in the case of
    automatically-generated emails.

    RT has now changed the "Sign by default" checkbox to merely provide
    a default in the web UI when composing messages; it no longer
    affects automatically-generated outgoing messages.  Thus the "Sign
    by default" option helps to provide _authenticity_.  A separate
    queue configuration option, "Sign all auto-generated mail"
    (defaulting to off) now controls the signing of automatically-
    generated emails, which (when used in combination with the previous
    option) helps provide _integrity_ of all outgoing messages.

    Users who had previously checked "Sign by default" and who wish to
    maintain the previous effect of integrity but not authenticity will
    need to enable the new option as well.

    We would like to thank Matthijs Melissen (University of Luxembourg)
    for bringing this matter to our attention.

  * RT 3.8.0 and above contain a vulnerability which allows incoming
    emails to force all triggered outgoing mail to be signed and/or

  * RT 3.8.0 and above contain a vulnerability which allows incoming
    emails to incorrectly appear in the UI to have been encrypted when
    they had not been.  This vulnerability only applies to encryption,
    not signing.

  * RT 3.8.0 and above contain a vulnerability which allows any user who
    is capable of sending signed email in the UI to do so using any
    secret key stored in RT's keyring.

Additionally, RT 3.8.0 and above contain a vulnerability which allows a
user to pass arbitrary arguments to the command-line GnuPG client, which
could be leveraged to create arbitrary files on disk with the
permissions of the webserver.  This vulnerability only applies if GnuPG
is enabled, and does _not_ allow for execution of programs other than the
command-line GnuPG client.  We have been assigned CVE-2012-4884 for this

If you are running 3.8.x and RTFM, you will need to install RTFM
2.4.5 to resolve CVE-2012-4731:


96c9800bf1eee94a5dd9978400a7cba8d9594b29  RTFM-2.4.5.tar.gz
1f136d9f047164d72c1cf3e0bd64839804fc49ae  RTFM-2.4.5.tar.gz.asc

Patches for all releases of 3.8.x and 4.0.x are available for download
below.  As RT 3.6.x has reached end of life, we will not be releasing
patches for it; please contact sales at bestpractical.com if you need
assistance with RT versions older than 3.8.0.


f10e60186cb103587e5059280ea9b3f6e47f2d22  security-2012-10-25.tar.gz
c67c4845b4afe1a7737c000d6f85cafee7b4d009  security-2012-10-25.tar.gz.asc

The README in the tarball contains instructions for applying the
patches.  If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.

 - Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20121025/f2256619/attachment.pgp>

More information about the rt-announce mailing list