Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 31 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

New Zimbra Bug Allows Data Stealing With No User Interaction

A patch was released earlier this week to fix the problem, but was found to be insufficient.

by Guru Writer
June 16, 2022
in Cyber Bites
Computer screen
Share on FacebookShare on Twitter

Technical details have emerged about a vulnerability affecting certain versions of the Zimbra email solution that hackers could exploit to steal logins without user interaction or authentication.

The security issue is currently being tracked as CVE-2022-27924 and impacts Zimbra releases 8.8x and 9.x for both open-source and commercial versions of the platform.

Since the 10th May, a fix has been published and made available in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is frequently used by organisations around the world that handle sensitive data, including those in government, educational, and financial sectors.

A report has been written, describing the flaw, by researchers at SonarSource. They summarised it as “Memcached poisoning with an unauthenticated request.” Exploitation is possible via a CRLF injection into the username of Memcached lookups.

Memcached is an internal-service instance that stores key/value pairs for email accounts to improve Zimbra’s performance by reducing the number of HTTP requests to the Lookup Service. The service sets up and retrieves those pairs using a simple text-based protocol.

According to the researchers, a malicious actor could overwrite the IMAP route entries for a known username via a specially crafted HTTP request to the vulnerable Zimbra instance. When the real user logs in, the Nginx Proxy in Zimbra would forward all IMAP traffic to the attacker. This information would include credentials.

The report says: “usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk.”

“When the Mail client restarts or needs to re-connect, which can happen periodically, it will re-authenticate itself to the targeted Zimbra instance.”

Whilst there are ways to exploit the vulnerability without them, knowing email addresses and IMAP clients allows exploitation of the vulnerability to occur more easily.

Another exploitation technique allows bypassing the above step to steal credentials for any user with no interaction and without any knowledge about the Zimbra instance.

This is achieved through “response smuggling,” that leverages the use of a web-based client for Zimbra.

This way, an attacker could hijack the proxy connection of random users whose email addresses are unknown, generating no alert or requiring any interaction from the victim.

The findings were disclosed by Zimbra on 11th March 2022 by SonarSource. Although insufficient to fix the issue, a first patch was released on March 31st.

On 10th May, SonarSource addressed the issues via ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, by creating an SHA-256 hash of all the Memcache keys before being sent to the server.

No new lines can be created for the CRLF injection because SHA-256 cannot contain whitespaces. Similarly, no poisoning attacks can take place on the patched versions.

Zimbra released ZCS 9.0.0 Patch 25 and ZCS 8.8.15 Patch 31 updates earlier this week with an update to OpenSSL 1.1.1n. Tracked as CVE-2022-0778, this addresses an infinite loop vulnerability causing a denial of service.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Obrela sponsors open-source Commix project

Next Post

Microsoft Patch Fixes Follina Bug

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information