CVE-2024-35187 Overview
Stalwart Mail Server contains an authorization flaw that allows attackers with code execution as the stalwart-mail user to escalate to full root privileges on the host system. The vulnerability affects all versions prior to 0.8.0. Although the service runs under a dedicated unprivileged user account, the process retains the ability to restore full privileges trivially. This negates the isolation typically provided by service account separation. Administrators who delegated mail server admin credentials without intending to grant root access are exposed, as are users whose servers are compromised through any other arbitrary code execution vector. The issue is categorized under CWE-863: Incorrect Authorization.
Critical Impact
An attacker with stalwart-mail user code execution or admin web interface access can obtain complete root control of the underlying host.
Affected Products
- Stalwart Mail Server versions prior to 0.8.0
- Deployments where the stalwart-mail service user has retained privilege-restoration capabilities
- Systems exposing the Stalwart admin web interface to untrusted operators
Discovery Timeline
- 2024-05-16 - CVE-2024-35187 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-35187
Vulnerability Analysis
Stalwart Mail Server runs as a dedicated stalwart-mail system user. This pattern normally confines a compromise to the service account and prevents lateral movement into the broader operating system. The implementation prior to version 0.8.0 leaves capabilities or privilege-restoration mechanisms accessible to the running process. An attacker who reaches code execution within the mail server context can invoke these mechanisms to regain root. The flaw converts a service-scoped compromise into a full host takeover, breaking the security boundary that the separate user account was intended to enforce.
Root Cause
The root cause is an incorrect authorization model [CWE-863] in the privilege management of the Stalwart process. The service drops to the stalwart-mail user but does not permanently relinquish the ability to elevate. Mechanisms that allow re-acquiring root remain available to any code running in the process. This makes the user separation a cosmetic boundary rather than a security boundary.
Attack Vector
Exploitation requires either administrative access to the Stalwart admin web interface or arbitrary code execution within the stalwart-mail service through a separate vulnerability. From that position, the attacker triggers the available privilege restoration path to run code as root. The scope changes from the constrained service account to the entire operating system, including all other services, user data, and configuration. Refer to the GitHub Security Advisory GHSA-rwp5-f854-ppg6 for vendor-supplied technical details.
Detection Methods for CVE-2024-35187
Indicators of Compromise
- Processes spawned by stalwart-mail running with effective UID 0
- Unexpected modifications to /etc/passwd, /etc/shadow, /etc/sudoers, or systemd unit files following Stalwart activity
- New cron jobs, SSH authorized keys, or setuid binaries created after mail server admin logins
- Outbound network connections from root-owned child processes of the Stalwart service
Detection Strategies
- Monitor for child processes of stalwart-mail that transition to root via setuid, setresuid, or capability operations
- Audit Stalwart admin web interface authentication events and correlate with subsequent shell or process activity on the host
- Alert on Stalwart versions below 0.8.0 discovered through software inventory scans
Monitoring Recommendations
- Enable Linux audit rules on execve, setuid, and capability syscalls scoped to the stalwart-mail user
- Forward host telemetry to a centralized analytics platform and apply behavioral rules for service-to-root escalation patterns
- Track integrity of system files and service unit definitions on mail server hosts
How to Mitigate CVE-2024-35187
Immediate Actions Required
- Upgrade Stalwart Mail Server to version 0.8.0 or later on all affected hosts
- Rotate Stalwart admin credentials and any secrets accessible to the mail server process
- Review recent admin web interface logins for unauthorized activity
- Audit hosts for persistence artifacts created since the vulnerable version was deployed
Patch Information
Version 0.8.0 contains the fix. Apply the upgrade as documented in the Stalwart GitHub Security Advisory. After upgrading, validate that the service no longer retains the capabilities required to regain root privileges.
Workarounds
- Restrict access to the Stalwart admin web interface to trusted networks and operators only
- Run Stalwart inside a container, namespace, or sandbox that drops Linux capabilities such as CAP_SETUID and CAP_SYS_ADMIN
- Apply systemd hardening directives such as NoNewPrivileges=yes, CapabilityBoundingSet=, and AmbientCapabilities= to the Stalwart service unit
# Example systemd hardening for the Stalwart service unit
[Service]
User=stalwart-mail
Group=stalwart-mail
NoNewPrivileges=yes
CapabilityBoundingSet=
AmbientCapabilities=
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
RestrictSUIDSGID=yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
