fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail actions like `mail-whois` can execute command if unescaped sequences (`\n~`) are available in "foreign" input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert malicious characters into the response sent by the whois server, either via a MITM attack or by taking over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid the usage of action `mail-whois` or patch the vulnerability manually.

The remote host is affected by the vulnerability described in GLSA-202310-13 (GNU Mailutils: unexpected processsing of escape sequences)

  - fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior,     0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote     code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail     actions like `mail-whois` can execute command if unescaped sequences (`\n~`) are available in foreign     input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert     malicious characters into the response sent by the whois server, either via a MITM attack or by taking     over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid     the usage of action `mail-whois` or patch the vulnerability manually. (CVE-2021-32749)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-5232-1 advisory.

    Jakub oczek discovered that certain Fail2ban actions handled whois responses in an insecure way. If     Fail2ban was configured to use certain mail actions like 'mail-whois' on a target system, a remote     attacker who was able to control whois responses to this target system could possibly execute arbitrary     code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Jakub Zoczek reports :

Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences (\n~) are available in 'foreign' input (for instance in whois output).

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1274-1 advisory.

  - fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior,     0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote     code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail     actions like `mail-whois` can execute command if unescaped sequences (`\n~`) are available in foreign     input (for instance in whois output). To exploit the vulnerability, an attacker would need to insert     malicious characters into the response sent by the whois server, either via a MITM attack or by taking     over a whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a workaround, one may avoid     the usage of action `mail-whois` or patch the vulnerability manually. (CVE-2021-32749)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
183385	GLSA-202310-13 : GNU Mailutils: unexpected processsing of escape sequences	Nessus	Gentoo Local Security Checks	high
183171	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Fail2ban vulnerability (USN-5232-1)	Nessus	Ubuntu Local Security Checks	high
154659	FreeBSD : fail2ban -- possible RCE vulnerability in mailing action using mailutils (c848059a-318b-11ec-aa15-0800270512f4)	Nessus	FreeBSD Local Security Checks	high
153455	openSUSE 15 Security Update : fail2ban (openSUSE-SU-2021:1274-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2021-32749

high

Tenable Plugins

high

high

high

high