Lucene search

K
thnThe Hacker NewsTHN:86F6539B2FD5CE0DEC7585157E18CBEF
HistoryJun 14, 2022 - 3:13 p.m.

New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials

2022-06-1415:13:00
The Hacker News
thehackernews.com
57

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zimbra Email Vulnerability

A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction.

β€œWith the consequent access to the victims’ mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information,” SonarSource said in a report shared with The Hacker News.

Tracked as CVE-2022-27924 (CVSS score: 7.5), the issue has been characterized as a case of β€œMemcached poisoning with unauthenticated request,” leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.

This is made possible by poisoning the IMAP route cache entries in the Memcached server that’s used to look up Zimbra users and forward their HTTP requests to appropriate backend services. Memcached is an in-memory key-value storage system for use as a high performance cache or session store for external database and API calls β€” in this case the lookup service.

Given that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server containing CRLF characters, causing the server to execute unintended commands.

The flaw exists because β€œnewline characters (\r\n) are not escaped in untrusted user input,” the researchers explained. β€œThis code flaw ultimately allows attackers to steal cleartext credentials from users of targeted Zimbra instances.”

Armed with this capability, the attacker can subsequently corrupt the cache to overwrite an entry such that it forwards all IMAP traffic to an attacker-controlled server, including the targeted user’s credentials in cleartext.

That said, the attack presupposes the adversary already is in possession of the victims’ email addresses so as to be able to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.

β€œTypically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}@example.com,” the researchers said. β€œA list of email addresses could be obtained from OSINT sources such as LinkedIn.”

A threat actor, however, can get around these restrictions by exploiting a technique called response smuggling, which entails β€œsmuggling” unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing credentials from users without prior knowledge of their email addresses.

β€œThe idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” the researchers explained. β€œThis works because Zimbra did not validate the key of the Memcached response when consuming it.”

Following responsible disclosure on March 11, 2022, patches to completely plug the security hole were shipped by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1.

The findings arrive months after cybersecurity firm Volexity disclosed an espionage campaign dubbed EmailThief that weaponized a zero-day vulnerability in the email platform to target European government and media entities in the wild.

Found this article interesting? Follow THN on Facebook, Twitter ο‚™ and LinkedIn to read more exclusive content we post.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N