CVE-2022-39258 Mailcow is a mailserver suite. An earlier vulnerability allowed an attacker to spoof Authorize links.

This article will detail the mailcow Vulnerability, its exploitation and what one can do to protect themselves. Stay safe! - By installing mailcow on a Linux/Unix-based server, administrators enable users to manage email via the e-mail client of their choice. An attacker can send an e-mail to the recipient’s mailcow mailbox that successfully pushes their e-mail client to forward the e-mail to another e-mail address. This allows attackers to expand their phishing/social engineering campaigns to include an innocent-looking e-mail that appears to come from the recipient. This can be done without the recipient’s consent, giving attackers a high degree of confidence that their messages will be forwarded.

Vulnerability

When mailcow is installed on a Linux/Unix-based server, it enables the use of an e-mail client of your choice. This means that you can install a vulnerable mailcow mailbox and then send an e-mail to the recipient’s mailcow mailbox that successfully pushes their e-mail client to forward the e-mail to another email address. This allows attackers to expand their phishing/social engineering campaigns to include an innocent-looking e-mail that appears to come from the recipient.

Mailcow Vulnerability

A mailcow is a service that allows users to manage email via the e-mail client of their choice. An attacker can send an e-mail to the recipient’s mailcow mailbox that successfully pushes their e-mail client to forward the e-mail to another e-mail address. This provides attackers with a high degree of confidence that their messages will be forwarded.

Vulnerability: Mailcow Remote Code Execution

Mailcow is a popular open source e-mail management tool. The software allows users to manage their email via an e-mail client of their choice, such as Thunderbird or Evolution. Software updates have been released that address the vulnerability.
In order to successfully exploit the vulnerability, an attacker would need to send an e-mail to a mailcow user and the recipient’s e-mail client would be manipulated in some way so it forwards the message to another e-mail address.
The Mailcow developers plan on releasing software updates that will patch this hole as soon as possible.

Background and Assumptions

The vulnerability was publicly disclosed by the author in a GitHub issue on March 16, 2018.
A mailcow user would be vulnerable to the following attack:
1) Attacker sends e-mail to victim’s forwarded mailcow mailbox without their consent.
2) Victim opens e-mail and receives new message from attacker with subject line “Dear [victim], this is an important message from your manager”.
3) Victim clicks on the link included in the e-mail, which will take them to a spoofed website that looks like the real thing.

Timeline

Published on: 09/27/2022 15:15:00 UTC
Last modified on: 09/29/2022 18:29:00 UTC

References

• https://github.com/mailcow/mailcow-dockerized/pull/4766
• https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39258