CVE-2020-12641 Scanner

Roundcube Webmail is an open-source web-based IMAP email client used by individuals, hosting providers, and organizations to manage emails through a web interface. It offers features such as MIME support, address book, folder management, and spell checking. Roundcube is often deployed on shared hosting platforms and supports plugin-based extensions to enhance functionality. Its popularity is due to its simplicity, customization capabilities, and wide deployment in Linux-based environments. The software includes an installer and configuration wizard accessible via the web. Misconfigurations or improper sanitization in these tools can expose critical vulnerabilities.

The vulnerability CVE-2020-12641 affects Roundcube Webmail versions prior to 1.4.4 and is classified as a command injection flaw. It arises when shell metacharacters can be injected through configuration variables such as `im_convert_path` or `im_identify_path`. These parameters are used for image processing and are set via the installer interface. If an attacker can access and manipulate these values, arbitrary OS commands can be executed. This may result in full system compromise. The flaw is critical because it does not require authenticated access if the installer is left publicly accessible.

The vulnerable endpoint is `/installer/index.php` or `/roundcube/installer/index.php`, which is used during initial setup or reconfiguration of Roundcube Webmail. The scanner injects a payload into the `im_convert_path` parameter using a `curl` command targeting an external domain. A successful scan is confirmed by detecting the presence of expected installer output and a success message indicating the configuration file was saved. This behavior confirms that arbitrary commands can be embedded and executed through configuration fields during the installation phase.

If exploited, this vulnerability allows remote attackers to execute arbitrary system commands with the permissions of the web server. This could lead to system compromise, unauthorized data access, persistence via malware installation, or lateral movement within the hosting environment. Attackers could modify email data, exfiltrate sensitive information, or pivot to other internal systems. The issue is particularly risky when the installer remains accessible after initial deployment. It underscores the importance of securing or removing installation interfaces after setup.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2020-12641
• https://github.com/mbadanoiu/CVE-2020-12641
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
• https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
• https://github.com/roundcube/roundcubemail/releases/tag/1.4.4