#VU28980 Improper Neutralization of Argument Delimiters in a Command in Roundcube - CVE-2020-12641

Cybersecurity Help s.r.o.

Published: 2020-06-11 | Updated: 2023-06-20

Vulnerability identifier: #VU28980

Vulnerability risk: High

CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2020-12641

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Roundcube
Web applications / Webmail solutions

Vendor: Roundcube

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in rcube_image.php script when processing shell metacharacters in a configuration setting for im_convert_path or im_identify_path. A remote user with ability to change Roundcube Webmail configuration can inject and execute arbitrary OS commands.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Roundcube: 1.2.0 - 1.2.9, 1.3.0 - 1.3.10, 1.4.0 - 1.4.3

External links
https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
https://www.recordedfuture.com/bluedelta-exploits-ukrainian-government-roundcube-mail-servers

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

OpenSUSE Linux update for roundcubemail

Gentoo update for Roundcube

Multiple vulnerabilities in Roundcube Webmail