CVE-2022-31138
📋 TL;DR
CVE-2022-31138 is an OS command injection vulnerability in mailcow mailserver suite that allows authenticated users to execute arbitrary code by manipulating specific parameters. This affects all mailcow-dockerized installations prior to version 2022-06a. Attackers with mailbox access can potentially gain full control of the mail server.
💻 Affected Systems
- mailcow-dockerized
📦 What is this software?
Mailcow\ by Mailcow
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the mail server allowing attackers to execute arbitrary commands as the mailcow service user, potentially leading to data theft, mail interception, lateral movement, or ransomware deployment.
Likely Case
Authenticated attackers with mailbox access can execute arbitrary commands to steal email data, create backdoors, or disrupt mail services.
If Mitigated
With proper access controls and patching, the risk is limited to authorized users only, reducing the attack surface significantly.
🎯 Exploit Status
Exploit code is publicly available on GitHub. Attack requires authenticated access to a mailbox.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022-06a
Vendor Advisory: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc
Restart Required: Yes
Instructions:
1. Navigate to mailcow root directory
2. Run: ./update.sh
3. Follow on-screen prompts to update to 2022-06a or newer
4. Restart mailcow services
🔧 Temporary Workarounds
Remove Syncjob ACL
linuxTemporarily remove Syncjob ACL from all mailbox users to prevent changes to vulnerable parameters
# Remove Syncjob ACL from all users
# This requires database access and specific mailcow configuration knowledge
🧯 If You Can't Patch
- Implement strict access controls to limit mailbox access to trusted users only
- Monitor for suspicious parameter modifications in mailcow configuration and logs
🔍 How to Verify
Check if Vulnerable:
Check mailcow version by running: grep MAILCOW_VERSION mailcow.confCheck Version:
grep MAILCOW_VERSION mailcow.confVerify Fix Applied:
Verify version is 2022-06a or newer: grep MAILCOW_VERSION mailcow.conf | grep -E '2022-06a|2022-06b|2022-07|2022-08|2022-09|2022-10|2022-11|2022-12|2023'📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd parameters
- Suspicious command execution in mailcow logs
Network Indicators:
- Unusual outbound connections from mail server
- Suspicious shell commands in mail protocol traffic
SIEM Query:
source="mailcow" AND ("regexmess" OR "skipmess" OR "regexflag" OR "delete2foldersonly" OR "delete2foldersbutnot" OR "regextrans2" OR "pipemess" OR "maxlinelengthcmd")🔗 References
- https://github.com/ly1g3/Mailcow-CVE-2022-31138
- https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9
- https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a
- https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc
- https://github.com/ly1g3/Mailcow-CVE-2022-31138
- https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9
- https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a
- https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc
