CVE-2024-35187
📋 TL;DR
This vulnerability in Stalwart Mail Server allows attackers with arbitrary code execution as the stalwart-mail user (including web interface admins) to escalate privileges to root access. This defeats the security isolation normally provided by running services as non-root users. Server administrators who shared admin credentials or systems compromised through other vulnerabilities are affected.
💻 Affected Systems
- Stalwart Mail Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root access, allowing attackers to install persistent backdoors, access all data, and pivot to other systems.
Likely Case
Attackers who gain initial access through credential theft or other vulnerabilities can achieve full system control, potentially leading to data exfiltration and service disruption.
If Mitigated
With proper access controls and network segmentation, impact could be limited to the mail service itself, though privilege escalation remains possible.
🎯 Exploit Status
Requires initial arbitrary code execution as stalwart-mail user; privilege escalation mechanism is described in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.0
Vendor Advisory: https://github.com/stalwartlabs/mail-server/security/advisories/GHSA-rwp5-f854-ppg6
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Stop Stalwart Mail Server service. 3. Update to version 0.8.0 or later. 4. Restart the service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit web interface admin access to trusted users only and implement strong authentication.
Network Segmentation
allIsolate mail server from other critical systems to limit lateral movement.
🧯 If You Can't Patch
- Implement strict access controls for web admin interface and monitor for unauthorized access.
- Run Stalwart Mail Server in a container with minimal privileges and no root escalation capabilities.
🔍 How to Verify
Check if Vulnerable:
Check Stalwart Mail Server version; if below 0.8.0, system is vulnerable.Check Version:
stalwart-mail --versionVerify Fix Applied:
Confirm version is 0.8.0 or higher and review configuration for proper privilege settings.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- Unexpected process execution as root from stalwart-mail user
- Failed authentication attempts to admin interface
Network Indicators:
- Suspicious connections to/from mail server on non-standard ports
- Unexpected outbound traffic from mail server
SIEM Query:
source="stalwart-mail" AND (event_type="privilege_escalation" OR user="root")