We have recently identified a critical vulnerability, CVE-2024-28054, that affects Amavis email security software versions before 2.12.3 and 2.13.x before 2.13.1. This vulnerability stems from an interpretation conflict with certain mail user agents when there are multiple boundary parameters in a MIME email message. As a result, Amavis may perform an incorrect check for banned files or malware, leading to potential security risks.

In this long read post, we will discuss the details of the vulnerability, its root cause, and the possible exploits. We will also provide code snippets from the original source to illustrate the issue and present the official references for further investigation.

Technical Details

Amavis is an open-source email security software that scans email messages for spam, malware, and undesirable content. It uses the MIME-tools library to parse email messages, detecting and decoding attachments, and subsequently checking them against configured filters and rules.

The vulnerability in question is caused by an interpretation conflict between Amavis and certain mail user agents when multiple boundary parameters are encountered in a MIME email message. Boundary parameters are used in MIME messages to separate different parts of a message, such as plain text and HTML content, or attachments. However, when multiple boundary parameters are present in a single email message, it may lead to incorrect handling and parsing, resulting in an inaccurate check for banned files or malware by Amavis.

An example of a MIME email message with multiple boundary parameters that could cause the interpretation conflict is as follows:

From: sender@example.com
To: recipient@example.com
Subject: Example email with multiple boundaries
MIME-Version: 1.
Content-Type: multipart/mixed; boundary="boundary1"; boundary="boundary2"

This is a MIME formatted message.

--boundary1
Content-Type: text/plain

This is plain text content.

--boundary1
Content-Type: text/html

This is HTML content.

--boundary1
Content-Type: application/zip; name="example.zip"
Content-Disposition: attachment; filename="example.zip"

...zip file content...

--boundary1--

As evidenced above, the email message contains two boundary parameters, boundary1 and boundary2. Amavis may fail to properly interpret the boundaries, leading to a vulnerability in its check for banned files or malware.

Exploit Details

An attacker may leverage this vulnerability to bypass security checks performed by Amavis. By crafting a specially designed email with multiple boundary parameters, they can attach malware, banned files, or any other undesirable content. This content would then bypass email filters configured within Amavis, potentially causing harm and security risks to recipients.

Remediation

To address this vulnerability, it is recommended to update Amavis to version 2.12.3 or 2.13.1, depending on the affected version series. The Amavis community has released patches to fix this issue and ensure that the software properly handles multiple boundary parameters in MIME email messages.

For users of Amavis versions affected by this vulnerability, the following resources provide detailed information, including patch notes and instructions for applying updates:

- Amavis Official Release Announcement
- GitHub Repository with Patch Notes and Source Code

Conclusion

CVE-2024-28054 is a critical vulnerability in Amavis email security software that may allow attackers to bypass security checks for banned files and malware. This vulnerability underscores the importance of staying up to date with software patches and updates, as well as being aware of potential security risks and vulnerabilities in your email infrastructure. By understanding the details of this issue and applying the necessary updates, you can help to protect your systems and users from potential harm.

Timeline

Published on: 03/18/2024 17:15:07 UTC
Last modified on: 03/23/2024 03:15:11 UTC