CVE-2023-26490 – This vulnerability in mailcow's Sync Job featur... (How to Fix)

Q: What is the severity of CVE-2023-26490?

CVE-2023-26490 has a CVSS score of 7.3 (HIGH). This vulnerability in mailcow's Sync Job feature allows authenticated users with specific permissions to execute arbitrary shell commands via command injection in the imapsync Perl script. Attackers can gain shell access to the Dovecot Docker container, potentially compromising the email system. Only users granted the Syncjob ACL permission are affected by default.

📋 TL;DR

This vulnerability in mailcow's Sync Job feature allows authenticated users with specific permissions to execute arbitrary shell commands via command injection in the imapsync Perl script. Attackers can gain shell access to the Dovecot Docker container, potentially compromising the email system. Only users granted the Syncjob ACL permission are affected by default.

💻 Affected Systems

Products:

mailcow-dockerized

Versions: All versions before 2023-03 update (March 3, 2023)

Operating Systems: Any OS running Docker

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when users are granted the Syncjob ACL permission, which is not included in default mailbox permissions.

📦 What is this software?

Mailcow\ by Mailcow

View all CVEs affecting Mailcow\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Dovecot container leading to email data theft, lateral movement to other containers in the bridged network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized shell access to the Dovecot container allowing email data exfiltration and potential privilege escalation within the containerized environment.

🟢

If Mitigated

Limited impact if Syncjob ACL is properly restricted, with only authorized users able to trigger the vulnerability.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, exposed mailcow instances with user accounts could be targeted.

🏢 Internal Only: MEDIUM - Internal attackers with mailbox access and Syncjob permissions could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and the Syncjob permission. The vulnerability is in publicly available code with clear injection points.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023-03 update (March 3, 2023)

Vendor Advisory: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3j2f-wf52-cjg7

Restart Required: Yes

Instructions:

1. Update mailcow-dockerized to version 2023-03 or later. 2. Run ./update.sh from the mailcow directory. 3. Restart affected containers.

🔧 Temporary Workarounds

Remove Syncjob ACL

linux

Remove Syncjob ACL permission from all mailbox users to prevent creation or modification of Syncjobs.

docker-compose exec dovecot-mailcow doveadm acl remove -u <username> INBOX Syncjob
Repeat for all users or use script to batch remove

🧯 If You Can't Patch

Immediately remove Syncjob ACL from all user accounts using doveadm commands
Implement network segmentation to isolate the Dovecot container and monitor for suspicious shell activity

🔍 How to Verify

Check if Vulnerable:

Check mailcow version: cat /opt/mailcow-dockerized/VERSION. If version is older than 2023-03, check if any users have Syncjob ACL: docker-compose exec dovecot-mailcow doveadm acl get -u *

Check Version:

cat /opt/mailcow-dockerized/VERSION

Verify Fix Applied:

Confirm version is 2023-03 or newer and verify no users have Syncjob ACL permission.

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in Dovecot logs
imapsync processes with suspicious arguments
Failed or abnormal Syncjob executions

Network Indicators:

Unexpected outbound connections from Dovecot container
Unusual traffic patterns from imapsync operations

SIEM Query:

source="dovecot" AND ("imapsync" OR "Syncjob") AND (command="*" OR shell="*")

📊 Metadata

CVE ID: CVE-2023-26490

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-78

Published: March 4, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-03 Release Notes
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3j2f-wf52-cjg7 Exploit,Third Party Advisory
https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-03 Release Notes
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3j2f-wf52-cjg7 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26490, you might also want to check these: