Hackers are Actively Exploiting Password-stealing Flaw in Zimbra
The Cybersecurity and Infrastructure Security Agency (CISA) has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers.
This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction.
In short, a hacker can perform Memcache poisoning via CRLF injection and trick the software into forwarding all IMAP traffic to the attacker when legitimate users attempt to log in.
SonarSource researchers discovered the flaw on March 11, 2022, and the software vendor released a fix that addressed the issues on May 10, 2022, with versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1.
The technical report that accompanied SonarSource’s disclosure was quite comprehensive, and since it was published over a month after the fixes were made available, it gives hackers many pointers on how to exploit the flaw.
However, as it becomes evident from CISA’s latest catalog addition, not all administrators have applied the security updates that have been available for nearly three months.
Given this opportunity, hackers now attempt to locate and attack vulnerable instances. Snatching Zimbra account credentials enables them to access the email server, opening up the pathway to spear-phishing, social engineering, and BEC (business email compromise) attacks.
According to the software vendor, Zimbra Collaboration is used by over 200,000 businesses and 1,000 state entities and critical organizations in 140 countries, including the United States.
CISA’s addition of CVE-2022-27824 to the catalog of actively exploited flaws introduces the obligation for all Federal agencies in the U.S. to apply the available security updates until August 25, 2022, which is the set deadline for this case.
Of course, non-federal agencies and organizations that use Zimbra Collaboration and haven’t updated their products yet should do it immediately, as hacker attacks targeting vulnerable instances are already underway.