Weaknesses in Mailcow Mail Server Lead to Remote Code Execution on Servers
There have been the revelation of two security weaknesses in the Mailcow open-source mail server suite that could allow attackers to conduct arbitrary code execution on vulnerable instances.
Both deficiencies affect all versions of the software before version 2024-04, which was launched on April 4, 2024. These issues were reported responsibly by SonarSource on March 22, 2024 through this link.
The vulnerabilities, rated as Moderate in severity, are detailed below –
- CVE-2024-30270 (CVSS score: 6.7) – A path traversal flaw affecting the “rspamd_maps()” function that could lead to the execution of arbitrary commands on the server by allowing a malicious actor to overwrite any file that can be edited with the “www-data” user
- CVE-2024-31204 (CVSS score: 6.8) – An XSS vulnerability via the exception handling mechanism when not in the DEV_MODE
The second flaw is rooted in the fact that it stores exception details without any sanitation or encoding, which are then transformed into HTML and executed as JavaScript in the users’ browser.
Hence, a malicious actor could exploit this situation to insert harmful scripts into the admin panel by triggering exceptions with specifically designed input, thereby enabling them to hijack the session and perform privileged actions as an administrator.
In other words, by combining both flaws, there exists the potential for a malicious entity to seize control of accounts on a Mailcow server, access sensitive data, and execute commands.
In a hypothetical attack scenario, an attacker can create an HTML email containing a CSS background image loaded from an external URL to activate an XSS payload.
“By merging both vulnerabilities, an attacker can execute arbitrary code on the admin panel server of a vulnerable mailcow instance,” mentioned SonarSource vulnerability analyst Paul Gerste.
“For this to occur, an admin user must view a malicious email while logged into the admin panel. The victim is not required to click a link within the email or take any other interaction with the email; they only need to continue using the admin panel after seeing the email.”
About Author
