CVE-2022-31245
📋 TL;DR
CVE-2022-31245 is an OS command injection vulnerability in mailcow email server software that allows authenticated users to execute arbitrary commands with domain admin privileges. Attackers can exploit this by manipulating Sync Jobs parameters to inject commands through the --debug and ---PIPEMESS options. This affects all mailcow installations before version 2022-05d.
💻 Affected Systems
- mailcow: dockerized
📦 What is this software?
Mailcow\ by Mailcow
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains domain admin privileges, executes arbitrary OS commands, accesses all email data, and potentially pivots to other systems.
Likely Case
Privilege escalation to domain admin allowing email data exfiltration, account takeover, and further lateral movement within the email infrastructure.
If Mitigated
Limited impact with proper network segmentation, minimal user privileges, and monitoring that detects unusual sync job activity.
🎯 Exploit Status
Public exploit code is available on GitHub. Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022-05d
Vendor Advisory: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d
Restart Required: Yes
Instructions:
1. Backup your mailcow configuration and data. 2. Update to mailcow version 2022-05d or later. 3. Restart all mailcow containers. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Sync Jobs Access
linuxTemporarily restrict or disable access to Sync Jobs functionality for non-admin users
# Modify mailcow ACLs or user permissions to remove Sync Jobs access
# Review and adjust user roles in mailcow administration panel
Network Segmentation
linuxRestrict access to mailcow administration interface to trusted networks only
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict access controls and monitor all authenticated user activity
- Deploy WAF rules to detect and block command injection patterns in Sync Jobs parameters
🔍 How to Verify
Check if Vulnerable:
Check mailcow version: docker exec -it $(docker ps -qf name=mailcow-mailcow) cat /etc/mailcow_versionCheck Version:
docker exec -it $(docker ps -qf name=mailcow-mailcow) cat /etc/mailcow_versionVerify Fix Applied:
Verify version is 2022-05d or later: docker exec -it $(docker ps -qf name=mailcow-mailcow) cat /etc/mailcow_version | grep -E '2022-05[d-z]|[0-9]{4}-[0-9]{2}[e-z]|[0-9]+\.[0-9]+'📡 Detection & Monitoring
Log Indicators:
- Unusual Sync Jobs activity with --debug or ---PIPEMESS parameters
- Multiple failed authentication attempts followed by successful login and Sync Jobs access
- Commands containing shell metacharacters in Sync Jobs logs
Network Indicators:
- Unusual outbound connections from mail server to external IPs
- Large data exfiltration from mail server
SIEM Query:
source="mailcow" AND ("--debug" OR "---PIPEMESS" OR "sync" AND "job") AND ("|" OR ";" OR "$" OR "`")