MailCleaner Vulnerabilities Allow Remote Code Execution

In a critical security report released on April 29, 2024, the cybersecurity research team at Modzero unveiled a series of severe vulnerabilities in MailCleaner, a widely-used email filtering appliance designed to protect against spam, viruses, and other malicious content. The disclosed vulnerabilities pose significant risks, potentially allowing unauthenticated attackers to execute arbitrary commands and compromise the confidentiality and integrity of any email processed by MailCleaner.

Image: Modzero

The modzero team, consisting of security experts Michael Imfeld and Pascal Zenker, first attempted to contact MailCleaner and its parent company Alinto AG on March 25, 2024, with no initial response. Persistence led to the establishment of communication via GitHub on April 2, and by April 23, Alinto AG confirmed that the vulnerabilities had been fixed and updates were published on GitHub. Modzero published its comprehensive findings in the interest of public awareness and security enhancement on April 29.

The Vulnerabilities

The security disclosure report details multiple critical vulnerabilities, each with its potential for exploitation:

1. Unauthenticated OS Command Injection via Email (CVE-2024-3191, CVSS 9.8): Attackers can send specially crafted emails that execute arbitrary commands on MailCleaner systems. This flaw enables complete system compromise and interception of emails.
2. Unauthenticated Stored XSS in Admin Interface via Email (CVE-2024-3192, CVSS 8.8): This vulnerability allows attackers to inject malicious JavaScript into the MailCleaner admin dashboard, enabling actions like session hijacking and unauthorized administrative operations.
3. CSRF-based OS Command Injection (CVE-2024-3193, CVSS 8.8): This flaw allows attackers to remotely execute OS commands through CSRF attacks, leveraging a logged-in administrator’s credentials.
4. Reflected XSS on Multiple Endpoints (CVE-2024-3194, CVSS 8.8): Malicious scripts can be executed by tricking a user into clicking a specially crafted link, potentially leading to data theft or unauthorized actions.
5. Authenticated Path Traversal on Multiple Endpoints (CVE-2024-3195, CVSS 4.7): This vulnerability enables authenticated attackers to access or create arbitrary files on the host system.
6. Unauthenticated OS Command Injection on Local SOAP Endpoints (CVE-2024-3196, CVSS 6.7): Exposes several internal SOAP services to command injection attacks, which could be exploited to gain root access to the system.

Mitigation Strategies

The identified vulnerabilities pose significant risks, primarily because they can be exploited remotely and without authentication in many cases. This makes it imperative for organizations using MailCleaner to apply the provided patches immediately. MailCleaner’s role in filtering incoming email makes it a critical asset in any organization’s cybersecurity framework, and any compromise could lead to sensitive information leaks or unauthorized access to internal networks.

Users of MailCleaner are strongly advised to update their systems to the latest version immediately. Alinto AG has responded promptly with fixes, which have been made available on their GitHub repository as of April 23. Organizations should also consider conducting regular audits of their cybersecurity measures and train staff on the importance of cybersecurity hygiene.