top of page
  • WatchTower365

Security Advisory - Zimbra Email Vulnerability Lets Attackers Steal Your Login Credentials

Updated: Oct 12, 2023

The Zimbra email suite contains a new high-severity vulnerability that, if successfully exploited, allows an unauthenticated attacker to acquire cleartext passwords from users without any user involvement.

"Attackers can potentially escalate their access to targeted firms and get access to numerous internal systems and steal extremely sensitive information with the consequent access to the victims' emails," SonarSource warned in a report shared with The Hacker News.

The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with an unauthenticated request," which might allow an attacker to inject malicious commands and steal sensitive data.

Security Advisory - Zimbra Email Vulnerability Lets Attackers Steal Your Login Credentials

This is accomplished by poisoning the IMAP route cache entries in the Memcached server, which is used to look up Zimbra users and route their HTTP requests to the proper backend services.

Because Memcached parses incoming queries line by line, an attacker might send a specially designed lookup request containing CRLF characters to the server, leading it to execute unwanted commands.

According to the researchers, the problem exists because "newline characters (rn) are not escaped in untrusted user input." "Attackers can collect cleartext credentials from users of targeted Zimbra instances using this coding bug."

With this knowledge, an attacker can corrupt the cache and rewrite an entry, causing all IMAP communication to be forwarded to an attacker-controlled server, including the targeted user's credentials in cleartext.

That said, the attack presupposes the adversary already is in possession of the victims' email addresses so as to be able to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.

"Typically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}," the researchers said. "A list of email addresses could be obtained from OSINT sources such as LinkedIn."

A threat actor, on the other hand, can get around these restrictions by using a technique known as response smuggling, which involves "smuggling" unauthorized HTTP responses that exploit the CRLF injection flaw to redirect IMAP traffic to a rogue server, stealing credentials from users without knowing their email addresses.

"We can induce random Memcached lookups to use injected responses instead of the correct response by continually injecting more responses than there are work items into the shared response streams of Memcached," the researchers noted. "This works because when Zimbra consumed the Memcached response, it didn't validate the key."

Zimbra released updates to entirely close the security flaw on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1, following a responsible disclosure on March 11, 2022.

The results come months after cybersecurity firm Volexity revealed EmailThief, an espionage campaign that used a zero-day vulnerability in the email platform to target European government and media organizations in the wild.


bottom of page