New email vulnerability in Zimbra allows attackers to steal your credentials


A new very serious vulnerability has been revealed in Zimbra’s email suite that, if successfully exploited, could allow an unauthenticated attacker to steal user-readable passwords without any user interaction.

“With the resulting access to victims’ mailboxes, attackers could potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information,” SonarSource said. said in a report shared with The Hacker News.

Tracked as CVE-2022-27924 (CVSS score: 7.5), the issue has been characterized as a case of “Memcached poisoning with unauthenticated request”, leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.

This is made possible by the IMAP route cache entries in the Memcached server used to look up Zimbra users and forward their HTTP requests to the appropriate backend services.

Since Memcached parses incoming requests line by line, the vulnerability could allow an attacker to send a specially crafted lookup request to the server containing CRLF characterscausing the server to execute unintended commands.

The flaw exists because “newline characters (\r\n) are not escaped in untrusted user input,” the researchers explained. “This code flaw ultimately allows attackers to steal plain text data from users of targeted Zimbra instances.”

Armed with this capability, the attacker can then corrupt the cache to overwrite an entry so that all IMAP traffic is forwarded to an attacker-controlled server, including the target user’s credentials in plaintext.

That said, the attack assumes that the adversary already has the victims’ email addresses in order to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.

“Normally, an organization uses a pattern for email addresses for their members, such as {firstname}. {lastname},” the researchers said. “A list of email addresses could be obtained from OSINT sources such as LinkedIn.”

However, a threat actor can circumvent these limitations by using a technique called reaction smugglingwhich involves “smuggling” unauthorized HTTP responses that exploit the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing user credentials without prior knowledge of their email addresses.

“The idea is that by continuously injecting more responses than there are work items into Memcached’s shared response streams, we can force arbitrary Memcached lookups to use injected responses instead of the correct response,” the researchers explained. “This works because Zimbra didn’t validate the key of the Memcached answer when consuming it.”

Following the responsible disclosure on March 11, 2022, patches were released to fully address the vulnerability: sent by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1

The findings come months after cybersecurity firm Volexity disclosed a spy campaign called EmailThief that weaponized a zero-day vulnerability in the email platform to target European governments and media entities in the wild.