Zimbra Email Flaw Let Attackers Steal Credentials via Memcache Injection

Zimbra, one of the leading email client systems, has been disclosed to have a critical vulnerability. While successful exploitation of this critical vulnerability could allow an attacker to seize the cleartext passwords of users without them interfering with anything.

Users can read and send private emails on their Zimbra accounts by signing into their Zimbra email accounts, which is used by over 200,000 businesses, universities, financial organizations, and government institutions around the world. 

Here’s what the cybersecurity analysts at Sonar security firm stated:-

“With the consequent access to the victims’ mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information. With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”

Flaw Profile

  • CVE ID: CVE-2022-27924
  • Description: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands become unescaped, causing an overwrite of arbitrary cached entries.
  • Base Score: 7.5
  • Severity: HIGH

Effect

Threat actors can exploit this security flaw to be able to inject malicious commands in order to steal sensitive information and intercept the traffic.

Memcached server entries that look up Zimbra users and forward their HTTP propositions to the relevant backend services that are poisoned. While this is possible since these entries are used to look up Zimbra routes.

A specially crafted lookup request that contains CRLF characters can allow an attacker to exploit the vulnerability and send a specially crafted request to the server. 

The main reason for this is the line-by-line parsing of the incoming requests which Memcached does. This can result in unintended commands being executed by the server.

An attacker who possesses this capability is able to corrupt the cache in order to delete entries and corrupt the database. Like this, an attacker can intercept all IMAP traffic and retrieve cleartext credentials for the targeted user.

Using SHA256 hashing, Zimbra made a patch for the vulnerability. SHA-256 can only be represented with hex-strings; therefore, it is impossible to insert new lines in the hex-string representation of the algorithm.

Here we have mentioned the fixed versions:-

  • 8.8.15 with Patch level 31.1
  • 9.0.0 with Patch level 24.1

Moreover, researchers from the cybersecurity company Volexity reported on the Email Thief espionage campaign months before this research was published.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.