Roundcube Webmail is a popular open-source web-based email client used by numerous organizations and individuals across the globe. A vulnerability was recently identified in the software that affects versions before 1.5.7 and 1.6.x before 1.6.7 on Windows. This vulnerability allows attackers to perform command injection via the "im_convert_path" and "im_identify_path" configuration settings. The issue gained attention as it is a partial re-emergence of the previously resolved vulnerability, CVE-202-12641.

Vulnerability Details

The vulnerability allows an attacker to inject and execute arbitrary OS commands on the server where the affected Roundcube Webmail instance is running. Specifically, the issue arises due to the lack of proper validation and sanitization of user-supplied data within the "im_convert_path" and "im_identify_path" configuration settings. As a result, a malicious user can craft a payload that includes OS commands and trigger their execution on the server.

The following code snippet demonstrates a potential attack vector exploiting the vulnerability

$config['im_convert_path'] = 'C:\\ImageMagick\\convert.exe;malicious_command.exe';
$config['im_identify_path'] = 'C:\\ImageMagick\\identify.exe;malicious_command.exe';

Upon successfully executing the injected commands, the attacker gains unauthorized access to the server and can perform other malicious activities like installing malware, stealing sensitive information, or causing a denial of service (DoS).

Original References

This vulnerability was disclosed through a security advisory published by the vendor and is referred to as CVE-2024-37385. The official sources for this vulnerability are available at:

1. The Roundcube Webmail GitHub repository - link
2. The MITRE CVE database entry - link
3. The National Vulnerability Database (NVD) entry - link

Incomplete Fix for CVE-202-12641

The current vulnerability has its roots in the incomplete fix for the earlier CVE-202-12641, which also pertained to a command injection vulnerability in Roundcube Webmail. While the earlier issue was addressed, the fix did not fully cover all possible attack scenarios. This has led to the re-emergence of the vulnerability, now identified as CVE-2024-37385, which specifically targets Windows users.

Mitigation and Solutions

To protect against this vulnerability, it is crucial to update the affected Roundcube Webmail instances to the latest versions. The recommended updates are:

Roundcube Webmail 1.6.x users should update to 1.6.7

These updated versions are available for download from the Roundcube Webmail official website here. The vendor also provides a list of detailed upgrade instructions here.

In addition to updating the software, it is advised that administrators restrict access to the vulnerable settings in the configuration files and implement network-level intrusion detection and prevention systems to minimize the risk posed by such vulnerabilities.

Conclusion

The CVE-2024-37385 vulnerability presents a serious risk to those using affected versions of Roundcube Webmail on Windows platforms. By exploiting this vulnerability, attackers can gain unauthorized access to the mail server and potentially compromise sensitive data, install malware, or cause service disruptions. It is crucial that users of Roundcube Webmail promptly upgrade their software to the latest available versions and follow best security practices to ensure the safety of their mail servers and data.

Timeline

Published on: 06/07/2024 04:15:30 UTC
Last modified on: 08/01/2024 13:53:32 UTC