A new large-severity vulnerability has been disclosed in the Zimbra email suite that, if productively exploited, permits an unauthenticated attacker to steal cleartext passwords of users sans any consumer interaction.
“With the consequent accessibility to the victims’ mailboxes, attackers can probably escalate their access to qualified corporations and attain obtain to a variety of interior services and steal remarkably delicate info,” SonarSource reported in a report shared with The Hacker News.
Tracked as CVE-2022-27924 (CVSS rating: 7.5), the issue has been characterised as a scenario of “Memcached poisoning with unauthenticated request,” top to a state of affairs in which an adversary can inject destructive commands and siphon sensitive information.
This is made possible by poisoning the IMAP route cache entries in the Memcached server that is employed to appear up Zimbra people and forward their HTTP requests to proper backend services.
Provided that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server made up of CRLF people, causing the server to execute unintended commands.
The flaw exists mainly because “newline characters (rn) are not escaped in untrusted consumer enter,” the scientists defined. “This code flaw in the long run enables attackers to steal cleartext credentials from people of targeted Zimbra scenarios.”
Armed with this functionality, the attacker can subsequently corrupt the cache to overwrite an entry these kinds of that it forwards all IMAP targeted visitors to an attacker-controlled server, together with the qualified user’s qualifications in cleartext.
That stated, the attack presupposes the adversary already is in possession of the victims’ email addresses so as to be ready to poison the cache entries and that they use an IMAP customer to retrieve email messages from a mail server.
“Typically, an firm utilizes a pattern for email addresses for their associates, these types of as e.g., [email protected],” the scientists claimed. “A checklist of email addresses could be received from OSINT sources this sort of as LinkedIn.”
A threat actor, on the other hand, can get all around these limits by exploiting a technique identified as response smuggling, which involves “smuggling” unauthorized HTTP responses that abuse the CRLF injection flaw to ahead IMAP targeted visitors to a rogue server, thus thieving credentials from customers with out prior awareness of their email addresses.
“The concept is that by repeatedly injecting much more responses than there are function goods into the shared reaction streams of Memcached, we can force random Memcached lookups to use injected responses alternatively of the accurate reaction,” the researchers defined. “This performs simply because Zimbra did not validate the vital of the Memcached response when consuming it.”
Pursuing dependable disclosure on March 11, 2022, patches to entirely plug the security gap have been shipped by Zimbra on May well 10, 2022, in variations 8.8.15 P31.1 and 9.. P24.1.
The results arrive months immediately after cybersecurity firm Volexity disclosed an espionage campaign dubbed EmailThief that weaponized a zero-working day vulnerability in the email platform to goal European governing administration and media entities in the wild.
Discovered this report intriguing? Abide by THN on Fb, Twitter and LinkedIn to read through a lot more unique content material we publish.
Some parts of this article are sourced from:
thehackernews.com