Description

CVE‑2023‑26490 is a classic example of how a seemingly innocuous feature—Mailcow’s “Sync Job” capability, which allows end‑users to synchronize mailboxes between servers via the imapsync Perl script—can become a vector for remote code execution when the underlying command‑line invocation of OpenSSL is not properly sanitized. In the affected 2023‑03 release, the imapsync module constructs a shell command to call `openssl s_client` (or a similar helper) in order to perform XOAUTH2 authentication against the target IMAP server. The command is assembled as a simple concatenation of user‑supplied parameters, including the mailbox password, without any escaping or validation. As a result, a malicious user who has been granted the “Sync Job” ACL can inject arbitrary shell syntax into the password field. For example, a password string such as `foo; rm -rf /;` will cause the shell to execute `openssl … -password foo` followed by `rm -rf /` inside the dovecot container. Because the dovecot container runs as the root user by default, the injected command gains full container privileges, allowing the attacker to spawn an interactive shell (`/bin/sh` or `/bin/bash`) or execute any other command, including those that exfiltrate data or pivot to the host. The vulnerability is therefore a classic shell‑command injection that grants “remote code execution” inside the container, with a CVSS v3.1 base score of 7.3 (High) and local impact on confidentiality, integrity, and availability, as the attacker can read or modify mailbox data and potentially compromise the underlying host if container isolation is breached. From an exploit perspective, the attack flow is straightforward: an attacker first creates a new Mailcow user or uses an existing one, then requests the creation of a sync job via the web UI or API. When assigning the job, the attacker supplies a crafted password containing shell metacharacters. The imapsync script, unfiltered, passes this string to the shell. The shell interprets the injected characters and executes the payload. Because the vulnerability is confined to the sync job creation API, any user who can create or edit sync jobs (i.e., any user with the `syncjob` permission) is a potential attacker. By default, newly created accounts do not receive this permission, which is why the issue is considered “local” in terms of privileges; however, an administrator can inadvertently grant the permission, exposing the system. The temporary mitigation—removing the `syncjob` ACL from all mailbox users—effectively blocks the attack vector, but it also disables legitimate sync functionality for all users, which may be unacceptable for some deployments. The long‑term fix is to patch the code: escape all shell arguments (e.g., use `system(['openssl', 's_client', ...])` in Perl or `IPC::Open3`), or better yet, replace the shell invocation with a pure‑Perl OpenSSL binding that does not require shell interpolation. Additionally, the script should validate the password against a whitelist of allowed characters or use a proper quoting mechanism (e.g., `quotemeta` or `shellwords`). The impact assessment extends beyond the container. Once inside the dovecot container, an attacker can read mailbox files, modify IMAP ACLs, or use the container’s network stack to reach other services on the host. If the Docker host’s socket is mounted inside the container (a common misconfiguration), the attacker could gain root access to the host. Even without that, the attacker can exfiltrate sensitive data over the network or pivot to other containers via the bridged network. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects that the vulnerability is network‑accessible, requires low effort, no user interaction, and is local to the container, but the potential damage is amplified by the container’s privileges. For security researchers and senior engineers, the key takeaways are: (1) audit any code paths that build shell commands from user input, especially in containerized environments where the container may run as root; (2) enforce least‑privilege ACLs—do not grant sync job creation rights to untrusted users; (3) apply the 2023‑03 patch immediately or, if unavailable, remove the `syncjob` ACL as a temporary workaround; (4) monitor container logs for anomalous `openssl` invocations or unexpected shell activity; (5) consider moving to a stateless, API‑driven mail sync solution that does not rely on shell calls. By addressing the injection point and tightening ACLs, organizations can eliminate the RCE vector while preserving legitimate sync functionality.