Researchers at SonarCloud have discovered critical security vulnerabilities in Mailcow, a popular open-source email server solution, that could have allowed attackers to execute malicious code on vulnerable systems “with a single email viewed by an admin.”
Here are the details of the two issues that reportedly, have existed for over three years and affect Mailcow versions before 2024-04.
XSS (Cross-Site Scripting) via Exception Handler (CVE-2024-31204):
The first issue involved Mailcow’s exception-handling mechanism. This mechanism, particularly when not in DEV_MODE, is vulnerable to Cross-Site Scripting (XSS) attacks, allowing attackers to inject malicious scripts into the admin panel by triggering exceptions with controlled input. This can lead to session hijacking and unauthorized administrative actions, posing a significant security risk.
Path Traversal, Arbitrary File Overwrite (CVE-2024-30270):
Mailcow’s compiled templates can be overwritten by an attacker by executing malicious code. The filenames are random but consistent across all instances of the same Mailcor version and based on the original template file content. The attacker requests the admin panel page using the template and deploys a standard PHP web shell to penetrate the target system. They can craft an email with multiple stages of payloads executing malicious OS commands.
According to SonarSource’s blog post, these two vulnerabilities could be chained together, allowing an attacker to take over all accounts on a Mailcow user’s server, control all internal data, and impersonate the user through email.
The attack involves an attacker sending a malicious email with an XSS payload disguised as a background image, which is executed by a Mailcow administrator. The injected code can then be triggered when the administrator visits the Mailcow admin panel, exploiting the path traversal vulnerability and potentially executing arbitrary code on the server, giving the attacker full control.
The attacker can execute arbitrary code on the admin panel server when an admin user views a malicious email while logged in. The victim only needs to continue using the admin panel without needing to click a link inside the email or interact with it in any way.
Vulnerabilities Fixed, Install Patch Now!
Mailcow has addressed vulnerabilities in its Moopril Update 2024, so patch now to ensure your server is no longer vulnerable to exploits. In addition, enables security features like content filtering and strong password policies. Regularly update Mailcow to the latest version for the latest security patches and be cautious of unfamiliar emails, especially those from unknown senders.