A brand new high-severity vulnerability has been disclosed within the Zimbra electronic mail suite that, if efficiently exploited, permits an unauthenticated attacker to steal cleartext passwords of customers sans any consumer interplay.
“With the ensuing entry to the victims’ mailboxes, attackers can doubtlessly escalate their entry to focused organizations and achieve entry to numerous inner companies and steal extremely delicate info,” SonarSource mentioned in a report shared with The Hacker Information.
Tracked as CVE-2022-27924 (CVSS rating: 7.5), the problem has been characterised as a case of “Memcached poisoning with unauthenticated request,” resulting in a state of affairs the place an adversary can inject malicious instructions and siphon delicate info.
That is made doable by poisoning the IMAP route cache entries within the Memcached server that is used to lookup Zimbra customers and ahead their HTTP requests to acceptable backend companies.
Provided that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to ship a specifically crafted lookup request to the server containing CRLF characters, inflicting the server to execute unintended instructions.
The flaw exists as a result of “newline characters (rn) aren’t escaped in untrusted consumer enter,” the researchers defined. “This code flaw finally permits attackers to steal cleartext credentials from customers of focused Zimbra situations.”
Armed with this functionality, the attacker can subsequently corrupt the cache to overwrite an entry such that it forwards all IMAP visitors to an attacker-controlled server, together with the focused consumer’s credentials in cleartext.
That mentioned, the assault presupposes the adversary already is in possession of the victims’ electronic mail addresses in order to have the ability to poison the cache entries and that they use an IMAP consumer to retrieve electronic mail messages from a mail server.
“Sometimes, a company makes use of a sample for electronic mail addresses for his or her members, similar to e.g., {firstname}.{lastname}@instance.com,” the researchers mentioned. “An inventory of electronic mail addresses might be obtained from OSINT sources similar to LinkedIn.”
A menace actor, nonetheless, can get round these restrictions by exploiting a method known as response smuggling, which entails “smuggling” unauthorized HTTP responses that abuse the CRLF injection flaw to ahead IMAP visitors to a rogue server, thereby stealing credentials from customers with out prior data of their electronic mail addresses.
“The concept is that by constantly injecting extra responses than there are work gadgets into the shared response streams of Memcached, we are able to pressure random Memcached lookups to make use of injected responses as an alternative of the proper response,” the researchers defined. “This works as a result of Zimbra didn’t validate the important thing of the Memcached response when consuming it.”
Following accountable disclosure on March 11, 2022, patches to fully plug the safety gap have been shipped by Zimbra on Might 10, 2022, in variations 8.8.15 P31.1 and 9.0.0 P24.1.
The findings arrive months after cybersecurity agency Volexity disclosed an espionage marketing campaign dubbed EmailThief that weaponized a zero-day vulnerability within the electronic mail platform to focus on European authorities and media entities within the wild.