⚠️ CVE-2023-34108 : Manipulation of Internal Dovecot Variables in mailcow via crafted Passwords ⚠️
As announced in the last blog entry (dated 30.05.2023), here is the detailed CVE for security patch 2023-05a.
If you have not yet updated, you should do so as soon as possible, because an exploit is now publicly available on the Internet that could be exploited by authenticated users on your mail server.
On May 30, 2023, a vulnerability was discovered in mailcow. The vulnerability allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process.
The issue arises from the behavior of the
passwd-verify.lua script, which is responsible during login. Upon a successful login, the script returns a response in the format of
password=, indicating the successful authentication.
By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password
123 mail_crypt_save_version=0 would cause the passwd-verify.lua script to return the string
password=123 mail_crypt_save_version=0. Consequently, Dovecot will interpret this string and set the internal variables accordingly, leading to unintended consequences.
By changing the password to a specific payload, the vulnerability can be exploited during the login process using the special-crafted password. Successful exploitation could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities.
What has been done about this vulnerability?
On the same day, a hotfix (2023-05a) was released to fix the vulnerability.
This means that it is no longer possible to exploit this vulnerability.
Basically everything before the 2023-05a update.
The impacted file
passwd-verify.lua has been in mailcow: dockerized code for almost 3 years.
Workaround (if any)
In short: NONE!
There is no workaround for this problem because every user can change and set his own password and this function cannot be restricted by an ACL.
In general, we recommend updating the mail system on a regular basis. Updates are very important in the IT world and protect against vulnerabilities like this.
We thank the finder of this exploit and refer to his reference:
For further inquiries about this CVE, please do not hesitate to contact us at firstname.lastname@example.org.
Please make sure that your mail server always has a current patch level!
Stay healthy and happy mailing!
Your mailcow Team
Niklas aka. DerLinkman