SonarSource recently identified two security vulnerabilities in the Mailcow open-source mail server suite, labeled as CVE-2024-30270 and CVE-2024-31204 [2] [4] [6] [8].

Description

These vulnerabilities, categorized as moderate severity [1], affect all versions of the software released before version 2024-04 [1], which was made available on April 4, 2024. CVE-2024-30270 is a path traversal vulnerability within the “rspamdmaps()” function [1] [3] [6], allowing attackers to overwrite files with the “www-data” user and execute arbitrary commands on the server [3]. CVE-2024-31204 [1] [2] [3] [4] [6] [7] [8], on the other hand, is a cross-site scripting (XSS) vulnerability linked to the exception handling mechanism when not in DEVMODE [1] [3] [6]. Furthermore, SonarSource researchers uncovered an additional vulnerability involving the storage of exception details without proper sanitization or encryption, leading to their conversion to HTML and execution as JavaScript in the user’s browser [5]. Exploiting these vulnerabilities could enable attackers to take control of accounts [1], access sensitive data [1] [2] [4], and execute commands on vulnerable Mailcow instances [2] [4].

Conclusion

To mitigate these security risks, it is imperative for Mailcow users to update their software to version 2024-04 or later. Failure to do so could result in unauthorized access, data breaches, and potential compromise of the server’s integrity. Stay vigilant and prioritize software updates to safeguard against these vulnerabilities.

References

[1] https://islainformatica.com/las-fallas-del-servidor-de-correo-de-mailcow-exponen-a-los-servidores-a-la-ejecucion-remota-de-codigo/
[2] https://thehackernews.com/2024/06/mailcow-mail-server-flaws-expose.html
[3] https://innovatopia.jp/cyber-security/cyber-security-news/32523/
[4] https://vulners.com/thn/THN:87E179F5553CD3044A2DFB67C656F07A
[5] https://www.anti-malware.ru/news/2024-06-19-111332/43594
[6] https://www.redpacketsecurity.com/mailcow-mail-server-flaws-expose-servers-to-remote-code-execution/
[7] https://cybermaterial.com/mailcow-flaws-enable-email-server-takeover/
[8] https://911cyber.app/june-19-2024-cyber-briefing/