CVE-2024-3191 – This critical vulnerability in MailCleaner allo... (How to Fix)

Q: What is the severity of CVE-2024-3191?

CVE-2024-3191 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in MailCleaner allows remote attackers to execute arbitrary operating system commands through email handling components. Attackers can potentially take full control of affected systems by injecting malicious commands. All MailCleaner installations up to version 2023.03.14 are vulnerable.

📋 TL;DR

This critical vulnerability in MailCleaner allows remote attackers to execute arbitrary operating system commands through email handling components. Attackers can potentially take full control of affected systems by injecting malicious commands. All MailCleaner installations up to version 2023.03.14 are vulnerable.

💻 Affected Systems

Products:

MailCleaner

Versions: All versions up to and including 2023.03.14

Operating Systems: Linux-based systems where MailCleaner is installed

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability affects the email handling component which processes incoming emails.

📦 What is this software?

Mailcleaner by Mailcleaner

View all CVEs affecting Mailcleaner →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands as the MailCleaner service account, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to mail server compromise, email interception, and potential access to internal network resources.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege service accounts, though command injection could still allow privilege escalation.

🌐 Internet-Facing: HIGH - Mail servers are typically internet-facing and this vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - While primarily an internet-facing risk, internal attackers could also exploit this if they can send emails to the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed by modzero. The vulnerability is remotely exploitable without authentication and has a simple attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2023.03.14

Vendor Advisory: https://github.com/MailCleaner/MailCleaner/pull/601

Restart Required: Yes

Instructions:

1. Update MailCleaner to the latest version. 2. Apply the patch from GitHub pull request #601. 3. Restart MailCleaner services. 4. Verify the fix by checking version and testing.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to MailCleaner to only necessary sources

iptables -A INPUT -p tcp --dport 25 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

Input Validation Filter

all

Implement WAF or proxy filtering for suspicious email patterns

🧯 If You Can't Patch

Implement strict network segmentation to isolate MailCleaner from critical systems
Monitor for unusual process execution and command-line arguments in system logs

🔍 How to Verify

Check if Vulnerable:

Check MailCleaner version: grep 'version' /usr/local/mailcleaner/etc/mailcleaner.conf

Check Version:

grep 'version' /usr/local/mailcleaner/etc/mailcleaner.conf

Verify Fix Applied:

Verify version is newer than 2023.03.14 and check that the patch from PR #601 is applied

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in MailCleaner logs
Suspicious process spawning from mailcleaner user
Unexpected shell commands in /var/log/mailcleaner/

Network Indicators:

Unusual outbound connections from mail server
Command and control traffic patterns

SIEM Query:

process.name:sh OR process.name:bash AND parent.name:mailcleaner*

📊 Metadata

CVE ID: CVE-2024-3191

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: April 29, 2024

Last Updated: April 11, 2025

🔗 References

https://github.com/MailCleaner/MailCleaner/pull/601 Issue Tracking
https://modzero.com/en/advisories/mz-24-01-mailcleaner/ Third Party Advisory
https://modzero.com/static/MZ-24-01_modzero_MailCleaner.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.262307 Permissions Required,VDB Entry
https://vuldb.com/?id.262307 Third Party Advisory,VDB Entry
https://github.com/MailCleaner/MailCleaner/pull/601 Issue Tracking
https://modzero.com/en/advisories/mz-24-01-mailcleaner/ Third Party Advisory
https://modzero.com/static/MZ-24-01_modzero_MailCleaner.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.262307 Permissions Required,VDB Entry
https://vuldb.com/?id.262307 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3191, you might also want to check these: