Zimbra business email platform fixes memcached injection flaw that compromises user credentials


Adam Bannister Jun 16, 2022 at 11:04 UTC

Updated: Jun 16, 2022 15:09 UTC

Attackers could also gain access to various internal services, researcher warns

A memcached injection vulnerability in enterprise webmail platform Zimbra could allow attackers to steal login credentials without user interaction, security researchers have revealed.

Zimbra, an open-source alternative to mail servers and collaboration services including Microsoft Exchange, is used by more than 200,000 businesses and more than 1,000 government and financial institutions worldwide, according to its developer, Synacor.

Simon Scannell, a vulnerability researcher at Swiss security firm Sonar (formerly SonarSource), said documented how unauthenticated attackers could poison an unsuspecting victim’s cache.

The vulnerability allows the stealing of Zimbra instance clear text credentials, when the email client connects to the Zimbra server, as shown in the following proof of concept video:

Because newline () characters were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached inputs.

Memcached servers store key/value pairs that can be set and retrieved with a simple textual protocol and interpret incoming data line by line.

Risk of escalation

Zimbra users have been urged to upgrade their installations immediately, given the potential impact of successful exploitation.

RECOMMENDED Oblivious DNS-over-HTTPS offers privacy enhancements to secure search protocol

The severity of the vulnerability (CVE-2022-27924) is listed as “high” (CVSS 7.5) rather than “critical”, but once a mailbox is hacked, “attackers can potentially gain access to targeted organizations and gain access to various internal services and steal information highly sensitive,” Scannell warned. .

“With Mail Access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”

Continuous injections

Attackers could poison victims’ Internet Message Access Protocol (IMAP) routing cache entries by verifying the victim’s email address – a fairly easy task with OSINT methods – but researchers have also successfully deployed smuggling of responses to steal clear-text credentials without obtaining the credentials first.

“By continually injecting more responses than there are work items into Memcached’s shared response streams, we can force random Memcached searches to use injected responses instead of the correct response,” explained Scannell.

“This works because Zimbra did not validate the Memcached response key when it was consumed. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses. mail.

hold the new line

The flaw affects both open source and commercial versions of Zimbra in their default configurations.

The vulnerabilities were reported on March 11, and an initial patch, released on March 31, did not properly fix the issue. The fully patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.

Keep up to date with the latest security research news

“Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server,” Scannell said. “As the hexadecimal string representation of a SHA-256 cannot contain spaces, newlines can no longer be injected.”

Sonar revealed the flaw on June 14.

Scannell concluded his article by observing that cross-site scripting (XSS) and SQL injection flaws resulting from a lack of input escaping “have been well known and documented for decades”, but that “other vulnerabilities injection can occur that are less well known and can have a critical impact”.

Accordingly, Scannell recommends that developers “be aware of the special characters that need to be escaped when dealing with technology where there is less documentation and research on potential vulnerabilities.”

The vulnerability emerged four months after Zimbra released a patch for an XSS flaw whose abuse has underpinned a series of sophisticated spear phishing campaigns linked to a previously unknown Chinese threat group.

Sonar also discovered a pair of Zimbra vulnerabilities last year that, if combined, allowed unauthenticated attackers to take control of Zimbra servers.

RELATED Horde Webmail has zero-day RCE bug with no fix on the horizon


Comments are closed.