Headline
Business email platform Zimbra patches memcached injection flaw that imperils user credentials
Attackers could also potentially gain access to various internal services, researcher warns
Attackers could also potentially gain access to various internal services, researcher warns
A memcached injection vulnerability in business webmail platform Zimbra could allow attackers to steal login credentials without user interaction, security researchers have revealed.
Zimbra, an open source alternative to services including Microsoft Exchange, is used by more than 200,000 businesses and more than 1,000 government and financial institutions worldwide, according to its developer, Synacor.
Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource), has documented how unauthenticated attackers could poison an unsuspecting victim’s cache.
It is then possible to steal cleartext credentials from the Zimbra instance, when the mail client connects to the Zimbra server, as demonstrated in the following proof-of-concept video:
Because newline characters () were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached entries.
Memcached servers store key/value pairs that can be set and retrieved with a simple text-based protocol and interpret incoming data line by line.
Escalation risk
Zimbra users have been urged to upgrade their installations immediately, given the potential impact of successful exploitation.
RECOMMENDED Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol
The severity of the vulnerability (CVE-2022-27924) is listed as ‘high’ (CVSS 7.5) rather than ‘critical’, but once a mailbox is breached, “attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information”, Scannell warned.
“With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”
Continuous injections
Attackers could poison victims’ IMAP route cache entries by ascertaining the victim’s email address – an easy enough task with OSINT methods – but the researchers also successfully deployed response smuggling to steal cleartext credentials without first obtaining this information.
“By continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” explained Scannell.
“This works because Zimbra did not validate the key of the Memcached response when consuming it. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses.”
Holding the newline
The flaw affects both open source and commercial versions of Zimbra in their default configurations.
The flaws were reported on March 11 and an initial fix, released on March 31, failed to properly address the issue. The comprehensively patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.
Catch up with the latest security research news
“Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server,” said Scannell. “As the hex-string representation of a SHA-256 can’t contain whitespaces, no new-lines can be injected anymore.”
Sonar disclosed the flaw on June 14.
Scannell concluded his write-up by observing that cross-site scripting (XSS) and SQL injection flaws arising from a lack of input escaping “have been well known and documented for decades”, but that “other injection vulnerabilities can occur that are less known and can have a critical impact”.
As a consequence, Scannell recommends that developers “be aware of special characters that should be escaped when dealing with technology where less documentation and research about potential vulnerabilities exists”.
The vulnerability has emerged four months after Zimbra released a hotfix for an XSS flaw whose abuse underpinned a series of sophisticated spear-phishing campaigns linked to an unknown Chinese threat group.
Sonar also discovered a pair of Zimbra vulnerabilities last year that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.
RELATED Horde Webmail contains zero-day RCE bug with no patch on the horizon
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. "With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal