CVE-2024-28054
📋 TL;DR
This vulnerability in Amavis email filtering software allows attackers to bypass malware and banned file checks by crafting emails with multiple MIME boundary parameters. The interpretation conflict between Amavis and some mail user agents leads to incorrect parsing, potentially allowing malicious content to pass through undetected. Organizations using vulnerable Amavis versions for email filtering are affected.
💻 Affected Systems
- Amavis
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malware or banned files bypass email filtering entirely, leading to successful malware distribution, data exfiltration, or ransomware deployment through email channels.
Likely Case
Attackers successfully deliver malicious attachments or content that would normally be blocked, increasing malware infection risk and potential data breaches.
If Mitigated
With proper network segmentation and additional security layers, the impact is limited to potential email-borne threats that other controls might catch.
🎯 Exploit Status
Exploitation requires sending specially crafted emails but doesn't require authentication to the Amavis system itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Amavis 2.12.3 or 2.13.1
Vendor Advisory: https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054
Restart Required: Yes
Instructions:
1. Backup current Amavis configuration. 2. Update Amavis to version 2.12.3 or 2.13.1 using your distribution's package manager. 3. Restart Amavis service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Temporary MIME boundary filtering
linuxAdd custom filtering rules to reject or quarantine emails with multiple MIME boundary parameters
Add to Amavis configuration: $sa_kill_level_deflt = 999;
Configure custom @bypass_virus_checks_maps rules
🧯 If You Can't Patch
- Implement additional email filtering layer before Amavis to detect multiple MIME boundaries
- Increase monitoring of email traffic and implement strict attachment handling policies
🔍 How to Verify
Check if Vulnerable:
Check Amavis version: amavisd-new -V | grep versionCheck Version:
amavisd-new -V | grep versionVerify Fix Applied:
Verify version is 2.12.3 or higher, or 2.13.1 or higher, and test with sample emails containing multiple boundaries📡 Detection & Monitoring
Log Indicators:
- Unusual email acceptance patterns
- Multiple boundary parameters in email headers
- Failed malware scans for emails that should be blocked
Network Indicators:
- Emails with multiple Content-Type boundary parameters
- Unusual attachment types bypassing filters
SIEM Query:
source="amavis" AND ("boundary" NEAR/2 "boundary") OR ("multiple boundary" OR "Content-Type.*boundary.*boundary")🔗 References
- https://gitlab.com/amavis/amavis/-/issues/112
- https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054
- https://lists.amavis.org/pipermail/amavis-users/2024-March/006811.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDF6M3UXP45INVSWB4HXEDZH35CVZIJ4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ/
- https://metacpan.org/pod/MIME::Tools
- https://www.amavis.org/release-notes.txt
- https://gitlab.com/amavis/amavis/-/issues/112
- https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054
- https://lists.amavis.org/pipermail/amavis-users/2024-March/006811.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDF6M3UXP45INVSWB4HXEDZH35CVZIJ4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ/
- https://metacpan.org/pod/MIME::Tools
- https://www.amavis.org/release-notes.txt
