Remote Code Execution in SpamTitan

CVE-2019-6800 is a vulnerability found in the anti-spam solution “SpamTitan” by TitanHQ that allows a network man-in-the-middle to execute arbitrary code as root. Affected versions are at least 7.x up until 7.03.

Vulnerability

The vulnerability was first identified after the unencrypted downloading of shell scripts triggered an alert in network monitoring equipment. The traffic was part of the spam rule update process.

HTTP-Response

HTTP/1.1 200 OK
Date: Thu, 24 Jan 2019 14:02:04 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 24 Jan 2019 13:30:00 GMT
ETag: "a9aaa8-c1-b12f120002"
Accept-Ranges: bytes
Content-Length: 197
Connection: close
Content-Type: text/plain; charset=UTF-8

\! /usr/local/bin/wget -O /tmp/fixit.sh  http://rules.spamtitan.com/7.01/fixit.sh > /dev/null  2>&1
\! /bin/chmod +x /tmp/fixit.sh
\! /tmp/fixit.sh
\! /bin/rm /tmp/fixit.sh

This response raised concerns regarding the security of this update process. A test instance of the SpamTitan software was deployed and quickly verified that the update process is indeed performed over unencrypted connections, and with no security measures in place. Using simple Man-in-the-Middle techniques we were able to confirm that injected code will let us execute arbitrary commands on the SpamTitan server with root privileges.

Mitigation

Update SpamTitan to version >7.04 or disable the spam rule update process to mitigate this vulnerability.

Timeline