New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials

A new high-severity vulnerability has been disclosed in the
Zimbra email suite that, if successfully exploited, enables an
unauthenticated attacker to steal cleartext passwords of users sans
any user interaction.

“With the consequent access to the victims’ mailboxes, attackers
can potentially escalate their access to targeted organizations and
gain access to various internal services and steal highly sensitive
information,” SonarSource said^[1]
in a report shared with The Hacker News.

Tracked as CVE-2022-27924^[2]
(CVSS score: 7.5), the issue has been characterized as a case of
“Memcached poisoning with unauthenticated request,” leading to a
scenario where an adversary can inject malicious commands and
siphon sensitive information.

This is made possible by poisoning the IMAP^[3]
route cache entries in the Memcached server that’s used to look up
Zimbra users and forward their HTTP requests to appropriate backend
services.

Given that Memcached parses incoming requests line-by-line, the
vulnerability permits an attacker to send a specially crafted
lookup request to the server containing CRLF characters^[4], causing the server to
execute unintended commands.

The flaw exists because “newline characters (\r\n) are not
escaped in untrusted user input,” the researchers explained. “This
code flaw ultimately allows attackers to steal cleartext
credentials from users of targeted Zimbra instances.”

Armed with this capability, the attacker can subsequently
corrupt the cache to overwrite an entry such that it forwards all
IMAP traffic to an attacker-controlled server, including the
targeted user’s credentials in cleartext.

That said, the attack presupposes the adversary already is in
possession of the victims’ email addresses so as to be able to
poison the cache entries and that they use an IMAP client to
retrieve email messages from a mail server.

“Typically, an organization uses a pattern for email addresses
for their members, such as e.g.,
{firstname}.{lastname}@example.com,” the researchers said. “A list
of email addresses could be obtained from OSINT sources such as
LinkedIn.”

A threat actor, however, can get around these restrictions by
exploiting a technique called response smuggling^[5], which entails
“smuggling” unauthorized HTTP responses that abuse the CRLF
injection flaw to forward IMAP traffic to a rogue server, thereby
stealing credentials from users without prior knowledge of their
email addresses.

“The idea is that by continuously injecting more responses than
there are work items into the shared response streams of Memcached,
we can force random Memcached lookups to use injected responses
instead of the correct response,” the researchers explained. “This
works because Zimbra did not validate the key of the Memcached
response when consuming it.”

Following responsible disclosure on March 11, 2022, patches to
completely plug the security hole were shipped^[6]
by Zimbra on May 10, 2022, in versions 8.8.15 P31.1^[7]
and 9.0.0 P24.1^[8].

The findings arrive months after cybersecurity firm Volexity
disclosed an espionage campaign dubbed EmailThief^[9]
that weaponized a zero-day vulnerability in the email platform to
target European government and media entities in the wild.