CVE-2021-20247
📋 TL;DR
This vulnerability in mbsync allows a malicious or compromised IMAP server to use specially crafted mailbox names containing '..' path components to access data outside designated mailboxes during synchronization. This could lead to unauthorized data access or modification. Users of mbsync versions before 1.3.5 or 1.4.1 who synchronize with untrusted or potentially compromised IMAP servers are affected.
💻 Affected Systems
- mbsync (isync)
📦 What is this software?
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Fedora by Fedoraproject
Fedora by Fedoraproject
Mbsync by Mbsync Project
Mbsync by Mbsync Project
⚠️ Risk & Real-World Impact
Worst Case
A compromised IMAP server could access and exfiltrate or modify sensitive email data from other mailboxes on the client side, potentially including confidential communications or authentication credentials.
Likely Case
Malicious IMAP servers could access adjacent mailboxes during synchronization, potentially reading or modifying emails that should be restricted.
If Mitigated
If using only trusted IMAP servers with proper authentication and monitoring, the risk is significantly reduced as the vulnerability requires server-side exploitation.
🎯 Exploit Status
Exploitation requires control of the IMAP server or ability to inject malicious responses. The client must initiate synchronization with the malicious server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.5 or 1.4.1
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1928963
Restart Required: No
Instructions:
1. Check current mbsync version with 'mbsync --version'. 2. Update using your distribution's package manager: For Debian/Ubuntu: 'sudo apt update && sudo apt upgrade mbsync'. For Fedora/RHEL: 'sudo dnf update mbsync'. 3. Verify update with 'mbsync --version'.
🔧 Temporary Workarounds
Use only trusted IMAP servers
allRestrict mbsync synchronization to known, trusted IMAP servers with proper security controls.
Monitor synchronization logs
linuxEnable and monitor mbsync logs for unusual mailbox names or synchronization patterns.
mbsync -V 3 > sync.log
🧯 If You Can't Patch
- Discontinue use of mbsync with untrusted IMAP servers until patched.
- Implement network segmentation to isolate mbsync traffic to trusted servers only.
🔍 How to Verify
Check if Vulnerable:
Run 'mbsync --version' and check if version is below 1.3.5 or 1.4.1.Check Version:
mbsync --versionVerify Fix Applied:
After updating, run 'mbsync --version' to confirm version is 1.3.5 or higher, or 1.4.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual mailbox names containing '..' patterns in synchronization logs
- Unexpected file access patterns during sync operations
Network Indicators:
- Synchronization with untrusted or unknown IMAP servers
- Unusual data transfer volumes during sync
SIEM Query:
process.name:"mbsync" AND network.destination.ip:(list_of_untrusted_servers)🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1928963
- https://lists.debian.org/debian-lts-announce/2022/07/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXQLCK35QGRCRENRTGKJO4VVZGUXUJJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDEBZQJMWDW5JFK4NTHH6DAFNAZTESW/
- https://security.gentoo.org/glsa/202208-15
- https://www.openwall.com/lists/oss-security/2021/02/22/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1928963
- https://lists.debian.org/debian-lts-announce/2022/07/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXQLCK35QGRCRENRTGKJO4VVZGUXUJJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDEBZQJMWDW5JFK4NTHH6DAFNAZTESW/
- https://security.gentoo.org/glsa/202208-15
- https://www.openwall.com/lists/oss-security/2021/02/22/1
