CVE-2023-39699 – IceWarp Mail Server v10.4.5 contains a local fi... (How to Fix)

Q: What is the severity of CVE-2023-39699?

CVE-2023-39699 has a CVSS score of 9.8 (CRITICAL). IceWarp Mail Server v10.4.5 contains a local file inclusion vulnerability in the /calendar/minimizer/index.php component that allows attackers to read or execute files from the server's local file system. This affects organizations running the vulnerable version of IceWarp Mail Server. The high CVSS score of 9.8 indicates critical severity.

📋 TL;DR

IceWarp Mail Server v10.4.5 contains a local file inclusion vulnerability in the /calendar/minimizer/index.php component that allows attackers to read or execute files from the server's local file system. This affects organizations running the vulnerable version of IceWarp Mail Server. The high CVSS score of 9.8 indicates critical severity.

💻 Affected Systems

Products:

IceWarp Mail Server

Versions: v10.4.5 (specific version mentioned in CVE)

Operating Systems: Windows, Linux (any running IceWarp)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of the specified version. All deployments with the vulnerable component accessible are affected.

📦 What is this software?

Mail Server by Icewarp

View all CVEs affecting Mail Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or use as a pivot point into internal networks.

🟠

Likely Case

Sensitive file disclosure (configuration files, credentials, user data) and potential remote code execution.

🟢

If Mitigated

Limited file read access if proper file permissions and web server restrictions are in place.

🌐 Internet-Facing: HIGH - Directly accessible web component with unauthenticated exploitation potential.

🏢 Internal Only: HIGH - Even internal attackers could exploit this to escalate privileges or move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

LFI vulnerabilities typically have simple exploitation paths. The provided references suggest detailed technical information is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check vendor for updates

Vendor Advisory: Not provided in CVE references

Restart Required: Yes

Instructions:

1. Check IceWarp vendor website for security updates. 2. Apply any available patch for v10.4.5 or upgrade to a fixed version. 3. Restart IceWarp services after patching.

🔧 Temporary Workarounds

Web Server Access Restriction

all

Block access to the vulnerable /calendar/minimizer/index.php component

# Apache: RewriteRule ^/calendar/minimizer/index\.php - [F,L]
# Nginx: location ~ ^/calendar/minimizer/index\.php { deny all; }

File Permission Restriction

linux/windows

Restrict web server user permissions to limit file access

# Linux: chmod 750 /path/to/icewarp/webroot
# Windows: icacls "C:\Program Files\IceWarp\web" /deny IUSR:(OI)(CI)(RX)

🧯 If You Can't Patch

Implement strict network segmentation to isolate the IceWarp server from sensitive systems
Deploy a web application firewall (WAF) with LFI protection rules

🔍 How to Verify

Check if Vulnerable:

Test if /calendar/minimizer/index.php accepts file path parameters (e.g., ?file=../../etc/passwd) and returns file contents

Check Version:

# Windows: Check IceWarp About dialog or installation directory
# Linux: /opt/icewarp/version.txt or icewarp --version

Verify Fix Applied:

Retest the vulnerable endpoint after patching/workarounds - should return error or no file content

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /calendar/minimizer/index.php with suspicious parameters
File access patterns from web server process to unexpected directories

Network Indicators:

Unusual outbound connections from IceWarp server
Traffic patterns suggesting data exfiltration

SIEM Query:

source="web_logs" AND uri="/calendar/minimizer/index.php" AND (param="file" OR param="path" OR param="include")

📊 Metadata

CVE ID: CVE-2023-39699

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: August 25, 2023

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/98.html Third Party Advisory
https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU Exploit,Third Party Advisory
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion Third Party Advisory
https://cwe.mitre.org/data/definitions/98.html Third Party Advisory
https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU Exploit,Third Party Advisory
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39699, you might also want to check these: