Zimbra Bug Allows Stealing Email Logins with No User Interaction
Technical details have emerged on a high-severity vulnerability affecting certain versions of the Zimbra email solution that hackers could exploit to steal logins without authentication or user interaction.
The security issue is currently tracked as CVE-2022-27924 and impacts Zimbra releases 8.8.x and 9.x for both open-source and the commercial versions of the platform.
A fix has been published in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, available since May 10, 2022. Zimbra is often used by organizations worldwide, including those in the government, financial, and educational sectors.
Silently siphoning credentials
The flaw has been described in a report from researchers at SonarSource, who summarized it as “Memcached poisoning with an unauthenticated request.” Exploitation is possible via a CRLF injection into the username of Memcached lookups.
Memcached is an internal-service instance that stores key/value pairs for email accounts to improve Zimbra’s performance by reducing the number of HTTP requests to the Lookup Service. Memcache sets and retrieves those pairs using a simple text-based protocol.
The researchers explain that a malicious actor could overwrite the IMAP route entries for a known username via a specially crafted HTTP request to the vulnerable Zimbra instance. Then, when the real user logs in, the Nginx Proxy in Zimbra would forward all IMAP traffic to the attacker, including the credentials in plain text.
“Usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk,” explains SonarSource in the report, highlighting that the exploit doesn’t require any user interaction.
“When the Mail client restarts or needs to re-connect, which can happen periodically, it will re-authenticate itself to the targeted Zimbra instance,” add the researchers.
Knowing the victim’s email address, a piece of information that is typically easy to find, and using an IMAP client allows the attacker to exploit the vulnerability easier but these details are not mandatory.
A second exploitation technique allows bypassing the above restrictions to steal credentials for any user with no interaction and without any knowledge about the Zimbra instance.
This is achieved through “Response Smuggling,” an alternative route that leverages the use of a web-based client for Zimbra.
“The idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response. This works because Zimbra did not validate the key of the Memcached response when consuming it.” – SonarSource