Technical details have emerged about a vulnerability affecting certain versions of the Zimbra email solution that hackers could exploit to steal logins without user interaction or authentication.
The security issue is currently being tracked as CVE-2022-27924 and impacts Zimbra releases 8.8x and 9.x for both open-source and commercial versions of the platform.
Since the 10th May, a fix has been published and made available in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is frequently used by organisations around the world that handle sensitive data, including those in government, educational, and financial sectors.
A report has been written, describing the flaw, by researchers at SonarSource. They summarised it as “Memcached poisoning with an unauthenticated request.” Exploitation is possible via a CRLF injection into the username of Memcached lookups.
Memcached is an internal-service instance that stores key/value pairs for email accounts to improve Zimbra’s performance by reducing the number of HTTP requests to the Lookup Service. The service sets up and retrieves those pairs using a simple text-based protocol.
According to the researchers, a malicious actor could overwrite the IMAP route entries for a known username via a specially crafted HTTP request to the vulnerable Zimbra instance. When the real user logs in, the Nginx Proxy in Zimbra would forward all IMAP traffic to the attacker. This information would include credentials.
The report says: “usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk.”
“When the Mail client restarts or needs to re-connect, which can happen periodically, it will re-authenticate itself to the targeted Zimbra instance.”
Whilst there are ways to exploit the vulnerability without them, knowing email addresses and IMAP clients allows exploitation of the vulnerability to occur more easily.
Another exploitation technique allows bypassing the above step to steal credentials for any user with no interaction and without any knowledge about the Zimbra instance.
This is achieved through “response smuggling,” that leverages the use of a web-based client for Zimbra.
This way, an attacker could hijack the proxy connection of random users whose email addresses are unknown, generating no alert or requiring any interaction from the victim.
The findings were disclosed by Zimbra on 11th March 2022 by SonarSource. Although insufficient to fix the issue, a first patch was released on March 31st.
On 10th May, SonarSource addressed the issues via ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, by creating an SHA-256 hash of all the Memcache keys before being sent to the server.
No new lines can be created for the CRLF injection because SHA-256 cannot contain whitespaces. Similarly, no poisoning attacks can take place on the patched versions.
Zimbra released ZCS 9.0.0 Patch 25 and ZCS 8.8.15 Patch 31 updates earlier this week with an update to OpenSSL 1.1.1n. Tracked as CVE-2022-0778, this addresses an infinite loop vulnerability causing a denial of service.
