Zimbra Email Vulnerability

A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction.

"With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information," SonarSource said in a report shared with The Hacker News.

Tracked as CVE-2022-27924 (CVSS score: 7.5), the issue has been characterized as a case of "Memcached poisoning with unauthenticated request," leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.

Cybersecurity

This is made possible by poisoning the IMAP route cache entries in the Memcached server that's used to look up Zimbra users and forward their HTTP requests to appropriate backend services. Memcached is an in-memory key-value storage system for use as a high performance cache or session store for external database and API calls — in this case the lookup service.

Given that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server containing CRLF characters, causing the server to execute unintended commands.

The flaw exists because "newline characters (\r\n) are not escaped in untrusted user input," the researchers explained. "This code flaw ultimately allows attackers to steal cleartext credentials from users of targeted Zimbra instances."

Armed with this capability, the attacker can subsequently corrupt the cache to overwrite an entry such that it forwards all IMAP traffic to an attacker-controlled server, including the targeted user's credentials in cleartext.

Cybersecurity

That said, the attack presupposes the adversary already is in possession of the victims' email addresses so as to be able to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.

"Typically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}@example.com," the researchers said. "A list of email addresses could be obtained from OSINT sources such as LinkedIn."

A threat actor, however, can get around these restrictions by exploiting a technique called response smuggling, which entails "smuggling" unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing credentials from users without prior knowledge of their email addresses.

"The idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response," the researchers explained. "This works because Zimbra did not validate the key of the Memcached response when consuming it."

Following responsible disclosure on March 11, 2022, patches to completely plug the security hole were shipped by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1.

The findings arrive months after cybersecurity firm Volexity disclosed an espionage campaign dubbed EmailThief that weaponized a zero-day vulnerability in the email platform to target European government and media entities in the wild.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.