Pierluigi Paganini
June 14, 2022
Researchers from Sonarsource have discovered a high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5), that can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.
“Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.” reads the advisory published by NIST.
Once obtained the login credentials, attackers can access the victims’ mailboxes and potentially escalate their access to targeted organizations.
“With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.” reads the advisory published by Sonarsource.
Experts explained that Zimbra’s Reverse Proxy makes an HTTP request to the Zimbra Lookup Service for every connection it receives, before forwarding the traffic to the correct backend service.
The result of an HTTP request is cached per user by a Memcached instance to improve performance, this means that before making the HTTP request to the Lookup Service, the cache is checked for an existing route. If a cache entry exists, the Lookup request is skipped.
Memcached server stores key/value pairs that can be set and retrieved with a simple text-based protocol.
The root cause of the Memcache Injection vulnerability in Zimbra is that “newline characters (\r\n) are not escaped in untrusted user input.”
The researchers published a video PoC that demonstrates how an unauthenticated attacker can steal the password of a known user of a targeted instance. The vulnerability is triggered the next time the victim uses a mail client to connect to the Zimbra server of a target organization.
Threat actors, which known the victims’ email addresses, can overwrite an entry in the cache to forwards all IMAP traffic to an attacker-controlled server, including the cleartext credentials of a targeted user.
“The first strategy requires the attacker to know the email address of victims to be able to steal their login credentials.” continues the analysis. “Typically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}@example.com. A list of email addresses could be obtained from OSINT sources such as LinkedIn.”
In an alternative attack scenario, attackers exploit “Response Smuggling” to bypass the restrictions imposed by the first strategy and steal cleartext credentials from any vulnerable Zimbra instance.
The response smuggling technique consists of manipulating and injecting malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
Attackers can steal users’ credentials by smuggling unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, even without the knowledge of their email addresses.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Zimbra)
[adrotate banner=”5″]
[adrotate banner=”13″]
