The recent discovery of two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) in Mailcow versions prior to 2024-04 has raised concerns about potential security breaches. These vulnerabilities allow attackers to execute arbitrary code on the server, posing a significant risk to organizations using Mailcow for their email services.
The vulnerabilities can be exploited by sending a specially crafted email to an administrator. When the administrator views the email while logged into the admin panel, the attacker can inject malicious scripts and gain complete control of the server. This can have serious consequences, as unauthorized access to a server can lead to data breaches, system malfunctions, and other security threats.
The root cause of these vulnerabilities lies in the way Mailcow’s admin panel processes error messages. The custom exception handler used by the panel stores error messages in the user session without proper sanitization. This lack of sanitization allows attackers to inject malicious scripts through error messages, leading to potential breaches in the system’s security.
CVE-2024-31204 is an XSS vulnerability in Mailcow’s admin panel that stems from the improper escaping of HTML entities in the jQuery-based notification library. Attackers can exploit this vulnerability by controlling the content of an exception being raised, thereby injecting malicious scripts into the system. This can result in unauthorized access to sensitive data and compromise the integrity of the server.
On the other hand, CVE-2024-30270, discovered by SonarCloud, pertains to a vulnerability in Mailcow’s rspamd_maps function. This vulnerability allows attackers to overwrite arbitrary files by crafting a path traversal payload. While the vulnerability cannot be used for arbitrary file creation, attackers can still overwrite critical PHP files with malicious code, potentially compromising the server.
To address these vulnerabilities, Mailcow maintainers have taken steps to enhance the security of the system. For the XSS vulnerability (CVE-2024-31204), they have encoded all HTML special characters in exception details before rendering them in the template. Additionally, for the file path vulnerability (CVE-2024-30270), they have strengthened the validation logic to ensure only allowed map types are used, thereby reducing the risk of unauthorized file overwrites.
Furthermore, Mailcow has implemented new security measures to prevent similar attacks in the future. They have added checks to differentiate between API requests and normal web requests by examining specific headers sent by browsers, such as the Referer header and the Sec-Fetch-Dest header. These proactive measures aim to bolster the system’s defenses against potential security threats and safeguard sensitive data from unauthorized access.
In conclusion, the discovery of critical vulnerabilities in Mailcow underscores the importance of robust cybersecurity measures to protect against potential threats. By addressing these vulnerabilities and implementing enhanced security protocols, organizations can mitigate the risk of security breaches and ensure the confidentiality and integrity of their data.