An argument injection vulnerability can be exploited by manipulating the following custom parameters to execute arbitrary code:
CWE defines the issue as CWE-78, and the impact on confidentiality, integrity, and availability is expected.
As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from changing those settings.
For new created Users the ACL for SyncJobs has been removed by default. Admins/Domain-Admins can set the ACL back to users manually or create the SyncJobs for them.
The SyncJob Tool has been secured with the use of a whitelist for commands which are as followed:
'log',
'showpasswords',
'nossl1',
'nossl2',
'ssl2',
'notls1',
'notls2',
'tls2',
'debugssl',
'sslargs1',
'sslargs2',
'authmech1',
'authmech2',
'authuser1',
'authuser2',
'proxyauth1',
'proxyauth2',
'authmd51',
'authmd52',
'domain1',
'domain2',
'oauthaccesstoken1',
'oauthaccesstoken2',
'oauthdirect1',
'oauthdirect2',
'folder',
'folderrec',
'folderfirst',
'folderlast',
'nomixfolders',
'skipemptyfolders',
'include',
'subfolder1',
'subscribed',
'subscribe',
'prefix1',
'prefix2',
'sep1',
'sep2',
'nofoldersizesatend',
'justfoldersizes',
'pidfile',
'pidfilelocking',
'nolog',
'logfile',
'logdir',
'debugcrossduplicates',
'disarmreadreceipts',
'truncmess',
'synclabels',
'resynclabels',
'resyncflags',
'noresyncflags',
'filterbuggyflags',
'expunge1',
'noexpunge1',
'delete1emptyfolders',
'delete2folders',
'noexpunge2',
'nouidexpunge2',
'syncinternaldates',
'idatefromheader',
'maxsize',
'minsize',
'minage',
'search',
'search1',
'search2',
'noabletosearch',
'noabletosearch1',
'noabletosearch2',
'maxlinelength',
'useheader',
'syncduplicates',
'usecache',
'nousecache',
'useuid',
'syncacls',
'nosyncacls',
'debug',
'debugfolders',
'debugcontent',
'debugflags',
'debugimap1',
'debugimap2',
'debugimap',
'debugmemory',
'errorsmax',
'tests',
'testslive',
'testslive6',
'gmail1',
'gmail2',
'office1',
'office2',
'exchange1',
'exchange2',
'domino1',
'domino2',
'keepalive1',
'keepalive2',
'maxmessagespersecond',
'maxbytesafter',
'maxsleep',
'abort',
'exitwhenover',
'noid',
'justconnect',
'justlogin',
'justfolders'
ly1g3 Analyst
Impact
An argument injection vulnerability can be exploited by manipulating the following custom parameters to execute arbitrary code:
CWE defines the issue as CWE-78, and the impact on confidentiality, integrity, and availability is expected.
Workarounds
As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from changing those settings.
Solution
Update your mailcow instance with the
update.shscript in the mailcow root directory to 2022-06a or newer.You can check your version after the update in two ways:
git describe --tags `git rev-list --tags --max-count=1in your mailcow root directory after you´ve updated.For new created Users the ACL for SyncJobs has been removed by default. Admins/Domain-Admins can set the ACL back to users manually or create the SyncJobs for them.
The SyncJob Tool has been secured with the use of a whitelist for commands which are as followed:
References
Exploit : link to the Exploit founder
For more information
If you have any questions or comments about this advisory: