Search This Blog

Showing posts with label Zimbra. Show all posts

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

Zero-Day Vulnerability Exploited in Zimbra Email Platform to Spy on Users

 

As part of spear-phishing campaigns that began in December 2021, a threat actor, most likely of Chinese origin, is proactively trying to attack a zero-day vulnerability in the Zimbra open-source email infrastructure. 

In a technical report published last week, cybersecurity firm Volexity described the espionage operation, codenamed "EmailThief," stating that successful exploitation of the cross-site scripting (XSS) vulnerability could lead to the execution of arbitrary JavaScript code in the context of the user's Zimbra session. 

The incursions, which commenced on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the moniker TEMP HERETIC, with the attacks focused on European government and media organizations. The zero-day vulnerability affects Zimbra's most recent open-source edition, version 8.8.15. 

The assaults are said to have been carried out in two stages, with the first stage targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. Multiple waves of email messages were sent out after that to lure users into clicking on a fraudulent link. The attacker used 74 different Outlook.com email identities to send the messages out over two weeks, with the initial recon emails having generic subject lines ranging from invitations to charity auctions and refunds for airline tickets. 

Steven Adair and Thomas Lancaster noted, "For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook." 

If exploited, the unpatched vulnerability might be used to exfiltrate cookies, providing constant access to a mailbox, sending phishing messages from the hijacked email account to spread the infection, and even facilitating the installation of new malware. 

The researchers stated, "None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups."  

"However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor." 

Further the company recommended, "Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15."