We have determined a number of security vulnerabilities which affectboth RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.15 and 4.0.8, and RTFM version 2.4.5, to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.15, 4.0.8, and the patches include the following:

All versions of RT are vulnerable to an email header injection attack. Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing. We have been assigned CVE-2012-4730 for this vulnerability; we would like to thank Scott MacVicar for bringing this matter to our attention.

RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class. We have been assigned CVE-2012-4731 for this vulnerability.

All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks. We have been assigned CVE-2012-4732 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention.

Additionally, all versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process. We have been assigned CVE-2012-4734 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention.

RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you. We have been assigned CVE-2012-4735 for the following related vulnerabilities:

• When using GnuPG, RT now clarifies the concepts of signing for integrity and signing for authentication, which are separate (and exclusive) concepts. Previously, enabling the "Sign by default" queue configuration began signing automatically-generated messages with the queue's key, in addition to defaulting emails sent from the web UI to being signed. This provides integrity, but causes emails signed with that key to no longer possess authenticity; no individual email is guaranteed to have come from an actor designated to act for that key, in the case of automatically-generated emails.

  RT has now changed the "Sign by default" checkbox to merely provide a default in the web UI when composing messages; it no longer affects automatically-generated outgoing messages. Thus the "Sign by default" option helps to provide authenticity. A separate queue configuration option, "Sign all auto-generated mail" (defaulting to off) now controls the signing of automatically- generated emails, which (when used in combination with the previous option) helps provide integrity of all outgoing messages.

  Users who had previously checked "Sign by default" and who wish to maintain the previous effect of integrity but not authenticity will need to enable the new option as well.

  We would like to thank Matthijs Melissen (University of Luxembourg) for bringing this matter to our attention.

• RT 3.8.0 and above contain a vulnerability which allows incoming emails to force all triggered outgoing mail to be signed and/or encrypted.

• RT 3.8.0 and above contain a vulnerability which allows incoming emails to incorrectly appear in the UI to have been encrypted when they had not been. This vulnerability only applies to encryption, not signing.

• RT 3.8.0 and above contain a vulnerability which allows any user who is capable of sending signed email in the UI to do so using any secret key stored in RT's keyring.

Additionally, RT 3.8.0 and above contain a vulnerability which allows a user to pass arbitrary arguments to the command-line GnuPG client, which could be leveraged to create arbitrary files on disk with the permissions of the webserver. This vulnerability only applies if GnuPG is enabled, and does not allow for execution of programs other than the command-line GnuPG client. We have been assigned CVE-2012-4884 for this vulnerability.

If you are running 3.8.x and RTFM, you will need to install RTFM 2.4.5 to resolve CVE-2012-4731. Patches for all releases of 3.8.x and 4.0.x are available for download; The README within it contains instructions for applying the patches. Otherwise, we recommend upgrading to RT 4.0.8, which resolves the above vulnerabilities.

If you are using RT::Authen::ExternalAuth, you also need to upgrade it to version 0.12 for compatibility with the security fixes in RT 4.0.8, 3.8.15, and the patches.

We have determined a number of security vulnerabilities in commonlyinstalled RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration → Tools → System Configuration, and examining the "Plugins" configuration setting.

We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action.

RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.

Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch

RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to multiple cross-site scripting (XSS) attacks in the topic administration page. CVE-2012-2768 has been assigned to this vulnerability. This release also includes updates for compatibility with RT 3.8.12. As RT 4.0 and above bundle RT::FM's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz

RT::Extension::MobileUI 1.01 and below are vulnerable to multiple cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to this vulnerability. As RT 4.0 and above bundle RT::Extension::MobileUI's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.02.tar.gz

The README in each tarball contains instructions for upgrading the extension. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Internal audits of the RT codebase have uncovered a number of securityvulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following:

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at:

http://download.bestpractical.com/pub/rt/release/security-2012-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. The patches require version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling:

Could not send mail with command `[...]`:
Can't locate object method "FILENO" via package "FCGI::Stream"

If you need help resolving these security issues, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.