Zimbra Email Suite reveals a new high-intensity vulnerability that, if used successfully, enables an unauthorized attacker to steal users’ ClearText passwords without any user interaction.
“With consequent access to victims’ mailboxes, attackers could increase their access to potentially targeted organizations and gain access to various internal services and steal highly sensitive information,” Sonarsource said. Says In a report shared with The Hacker News.
Track as CVE-2022-27924 (CVSS score: 7.5), the problem has been identified as “memecached poisoning with unverified requests”, which leads to a scenario where an adversary can inject malicious commands and siphoning sensitive information.
This has been made possible by the application of poison IMAP Root cache entry on a memcached server that is used to track Zimbra users and forward their HTTP requests to appropriate backend services.
Given that Memcached incoming requests parse line-by-line, vulnerabilities allow an attacker to send a specially created lookup request to the server CRLF charactersThis allows the server to execute unwanted commands.
The error exists because “the character of the new line (r \ n) does not escape the trusted user input,” the researchers explained. “An error in this code ultimately allows attackers to steal cleartext certificates from users of targeted Zimbra instances.”
Equipped with this capability, the attacker could later cache the cache to overwrite an entry so that it forwarded all IMAP traffic to the attacker-controlled server, including the explicit text of the target user’s credentials.
That said, the attack assumes that the adversary is already in possession of the victim’s email address in order to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.
“Typically, an organization uses a pattern for email addresses for its members, such as {firstname} ৷ {lastname}@example.com,” the researchers said. “A list of email addresses can be found from OSINT sources such as LinkedIn.”
A threatening actor, however, can circumvent these restrictions using a technique called Response smugglingWhich includes “trafficking” unauthorized HTTP responses that misuse the CRLF injection error to forward IMAP traffic to a rogue server, causing users to steal certificates from them without their prior knowledge of their email addresses.
“The idea is that by constantly injecting more feedback than work items into memecached shared response streams, we can force random memecached lookups to use injected responses instead of the correct response,” the researchers explained. “It works because Zimbra did not verify the key to the memecached response when it received it.”
After the responsible release on March 11, 2022, there were patches to completely plug the security holes. Sent By Zimbar on May 10, 2022, in edition 8.8.15 P31.1 And 9.0.0 P24.1.
The findings come just months after cybersecurity firm Velocity launched an espionage campaign called Email Thief that armed zero-day vulnerabilities on email platforms to target European governments and media agencies in the wild.
