cbcvebase.
CVE-2011-0018
published 2011-01-28

CVE-2011-0018: The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary…

PriorityP258critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
9.27%
94.7th percentile
The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA).

Affected

6 ranges
VendorProductVersion rangeFixed in
greenbonegreenbone_security_assistant<= 2.0
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager

Detection & IOCsextracted from sources · hover to see the quote

commandecho "To: %s\nFrom: %s\nSubject: %s\n\n%s" | /usr/sbin/sendmail %s > /dev/null 2>&1
path/usr/sbin/sendmail
  • Monitor OMP requests (to OpenVAS Manager) where the 'to_address' or 'from_address' fields contain shell metacharacters (e.g., '>', '|', ';', '`') indicating command injection attempts via the email escalator function.
  • Detect HTTP POST requests to the Greenbone Security Assistant (GSA) where the form field 'method_data:to_address' contains path traversal or shell redirection characters, e.g., values like 'none@none>/var/lib/openvas/users/<username>/isadmin'.
  • Alert on unexpected creation of 'isadmin' files under /var/lib/openvas/users/ directories, as the exploit achieves privilege escalation by writing this file via shell redirection in the email To/From fields.
  • The vulnerable code path is reachable via cross-site request forgery through the GSA web application; monitor for unauthenticated or cross-origin POST requests to GSA escalator creation endpoints.
  • ·The vulnerability is only exploitable by authenticated users of OpenVAS Manager; unauthenticated exploitation requires chaining with a CSRF attack via the GSA web application.
  • ·The CSRF vector in the Greenbone Security Assistant web application was NOT patched in the initial fix; only the direct OMP injection was resolved in OpenVAS Manager 1.0.4 and 2.0rc3.
  • ·The injected commands execute with the privileges of the OpenVAS Manager process, which is typically root, making this a high-impact privilege escalation.

CVSS provenance

nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.