Here are some news items our team found interesting over the past week, which you might have missed.
- Popular Go package go-mail (not to be confused with gomail, ain’t naming fun?) picked up a sort of SMTP command injection due to how it handles email address encoding when talking to SMTP servers. A simple programming mistake, leading to a High severity issue (CVSSv4 8.2) in versions prior to v0.7.1
- Rancher, a popular Kubernenets multi-cluster manager, has a vulnerability in how it handles SAML authentication (CVSSv3 8.0), which affects both the Manager component and the related CLI. While difficult to exploit, a well-informed attacker could use a phishing vector along with a maliciously-constructed URL to force SAML reauthentication to an attacker-controlled endpoint, potentially providing an attacker with valid session tokens. It unclear when this was introduced, but Rancher says the following versions have been patched: v2.12.2, v2.11.6, v2.10.10, and v2.9.12
Zero Research Updates. Subscribe today!
SMTP command injection in go-mail
Popular Go package go-mail (not to be confused with gomail, ain’t naming fun?) picked up a sort of SMTP command injection due to how it handles email address encoding when talking to SMTP servers. A simple programming mistake, leading to a High severity issue (CVSSv4 8.2) in versions prior to v0.7.1
The issue stems from an implicit cast to a string rather than an explicit call to mail.Address.String(), resulting in attackers being able to provide SMTP commands at the end of a recipient email address, and having those commands be sent to the SMTP server. The .String() method properly escapes the address, and the go-mail maintainer was therefore able to fix the issue quickly by ensuring that method is used when sending addresses to the mail system.
Upgrade to v0.7.1 to get the patch.
Rancher Manager and CLI have privilege escalation
Rancher, a popular Kubernenets multi-cluster manager, has a vulnerability in how it handles SAML authentication (CVSSv3 8.0), which affects both the Manager component and the related CLI. A well-informed attacker could use a phishing vector along with a maliciously-constructed URL to force SAML reauthentication to an attacker-controlled endpoint, potentially providing an attacker with valid session tokens. It unclear when this was introduced, but Rancher says the following versions have been patched: v2.12.2, v2.11.6, v2.10.10, and v2.9.12
Critically, the vulnerability requires some knowledge of the target’s environment to attack; it requires the attacker to trick a legitimate user into clicking a “correct” SAML authentication URL while controlling the publicKey and requestID parameters. Most users would unlikely notice the issue from the URL contents alone, despite SUSE’s recommendation for user attention as a workaround or mitigation. SAML implementations that use a strict allowlist for those parameters will likely mitigate the attack, but this configuration is not common.
Rancher deployments configured to use SAML should update promptly.