Security
Headlines
HeadlinesLatestCVEs

Headline

New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials

A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. "With the consequent access to the victims’ mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal

The Hacker News
#vulnerability#memcached#auth#zero_day#The Hacker News

A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction.

“With the consequent access to the victims’ mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information,” SonarSource said in a report shared with The Hacker News.

Tracked as CVE-2022-27924 (CVSS score: 7.5), the issue has been characterized as a case of “Memcached poisoning with unauthenticated request,” leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.

This is made possible by poisoning the IMAP route cache entries in the Memcached server that’s used to look up Zimbra users and forward their HTTP requests to appropriate backend services.

Given that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server containing CRLF characters, causing the server to execute unintended commands.

The flaw exists because “newline characters (\r\n) are not escaped in untrusted user input,” the researchers explained. “This code flaw ultimately allows attackers to steal cleartext credentials from users of targeted Zimbra instances.”

Armed with this capability, the attacker can subsequently corrupt the cache to overwrite an entry such that it forwards all IMAP traffic to an attacker-controlled server, including the targeted user’s credentials in cleartext.

That said, the attack presupposes the adversary already is in possession of the victims’ email addresses so as to be able to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.

“Typically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}@example.com,” the researchers said. “A list of email addresses could be obtained from OSINT sources such as LinkedIn.”

A threat actor, however, can get around these restrictions by exploiting a technique called response smuggling, which entails “smuggling” unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing credentials from users without prior knowledge of their email addresses.

“The idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” the researchers explained. “This works because Zimbra did not validate the key of the Memcached response when consuming it.”

Following responsible disclosure on March 11, 2022, patches to completely plug the security hole were shipped by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1.

The findings arrive months after cybersecurity firm Volexity disclosed an espionage campaign dubbed EmailThief that weaponized a zero-day vulnerability in the email platform to target European government and media entities in the wild.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who

Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.

Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)

CISA Adds Zimbra Email Vulnerability to its Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue in question is CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary

CVE-2022-32294: Zimbra Security Advisories - Zimbra :: Tech Center

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).