Ethical hacker and security researcher Dawid Golunski of Legal Hackers recently disclosed critical vulnerabilities affecting the PHPMailer and SwiftMailer services. Both were at risk for remote code execution through similar means. The positive news is that thanks to swift action from various security professionals, these vulnerabilities have been patched. Let’s explore both patched exploits and how they affected their respective product.
The PHPMailer remote code execution vulnerability (CVE-2016-10033) is able to be exploited against basic website functions. According to Golunski’s report, these functions include “contact/feedback forms, registration forms, password email resets, and others that send out emails with the help of a vulnerable version of the PHPMailer class.” There was an initial patch that failed, as Threatpost pointed out, version 5.2.18 was still exploitable. This has since been fixed and users of PHPMailer can feel confident now that there is a proper fix for this vulnerability.
In the case of SwiftMailer, exploit CVE-2016-10074 functioned in similar ways to the PHPMailer vulnerability. Thanks to the ability for remote code execution, an attacker could compromise the same website items that were at risk in CVE-2016-10033. SwiftMailer had been recently updated (version 5.4.5-DEV) prior to the release of the exploit report.
What occurred in this particular instance was exactly the proper protocol for fixing critical vulnerabilities. Almost immediately the companies responsible for PHPMailer and SwiftMailer went to work to quickly patch potentially catastrophic exploits. Good for them: In the past year, there have been countless instances of companies dragging their feet when attempting to fix serious vulnerabilities.
Inaction on the part of executives has been a persistent problem in the InfoSec industry, because security professionals can only do their jobs once they have proper authorization. Whether it is cost or otherwise, the suits tend not to understand the gravity of certain threat reports, and massive breaches occur because of it. As 2017 progresses, it is imperative that more companies take the work of white hats and gray hats seriously if they are going to be protected from the worst hackers out there.