Zimbra, an email software suite, is found with a new critical flaw that threat actors can exploit to steal users’ cleartext passwords without requiring interaction with them. According to researchers, the hackers could also escalate their access to an organisation’s networks, allowing them to steal corporate information.
The vulnerability is tracked as CVE-2022-27924 with a CVSS score of 7.5, which researchers described as an instance of ‘Memcached poisoning with an unauthenticated request,’ wherein the threat actors execute malicious commands to exfiltrate data from a compromised server.
To achieve this malicious activity, the threat actors poison an IMAP (Internet Message Access Protocol) route cache entries found in a Memcached server where users search for Zimbra users and send HTTP requests to backend services.
The critical flaw allows the threat actors to send a particularly configured lookup request to the CRLF-based server since the Memcached analyses incoming requests line-by-line. This procedure results in the server executing unwanted commands.
As explained by security experts, the Zimbra email critical flaw existed due to newline characters, \r and \n, not escaping in untrusted user input, allowing the threat actors to steal sensitive cleartext user credentials.
The capability grants the threat actors to easily corrupt the cache and overwrites an entry – forwarding all IMAP traffic and stolen users’ cleartext credentials to their C2 servers. During the attack, it is assumed that the threat actors had already hacked into the victims’ email accounts to poison the cache entries. Moreover, they are also assumed to be using an IMAP client to retrieve email messages from a malicious mail server.
Researchers added that threat actors usually leverage an organisation’s pattern in creating employees’ email addresses, which could be obtained through open-source intelligent sources like the LinkedIn social platform.
Hackers evade similar restrictions by exploiting the HTTP response smuggling technique, wherein they can hijack unauthorised HTTP responses that abuse the CRLF injection flaw in sending the IMAP traffic to their C2 servers. By incessantly executing responses more than the Memcached system holds, random lookups could be forced to use injected responses rather than a proper response.
According to the researchers, the Zimbra email does not validate Memcached keys’ responses when it consumes them. The email firm had released patches to the bugs; however, it was too late since notorious threat groups had already exploited it in espionage campaigns targeting the European government.