Attackers could also potentially gain access to various internal services, researcher warns
A memcached injection vulnerability in business webmail platform Zimbra could allow attackers to steal login credentials without user interaction, security researchers have revealed.
Zimbra, an open source alternative to email server and collaboration services including Microsoft Exchange, is used by more than 200,000 businesses and more than 1,000 government and financial institutions worldwide, according to its developer, Synacor.
Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource), has documented how unauthenticated attackers could poison an unsuspecting victim’s cache.
The vulnerability makes it possible to steal cleartext credentials from the Zimbra instance, when the mail client connects to the Zimbra server, as demonstrated in the following proof-of-concept video:
Because newline characters (\r\n) were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached entries.
Memcached servers store key/value pairs that can be set and retrieved with a simple text-based protocol and interpret incoming data line by line.
Zimbra users have been urged to upgrade their installations immediately, given the potential impact of successful exploitation.
The severity of the vulnerability (CVE-2022-27924) is listed as ‘high’ (CVSS 7.5) rather than ‘critical’, but once a mailbox is breached, “attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information”, Scannell warned.
“With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”
Attackers could poison victims’ IMAP (Internet Message Access Protocol) route cache entries by ascertaining the victim’s email address – an easy enough task with OSINT methods – but the researchers also successfully deployed response smuggling to steal cleartext credentials without first obtaining this information.
“By continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” explained Scannell.
“This works because Zimbra did not validate the key of the Memcached response when consuming it. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses.”
Holding the newline
The flaw affects both open source and commercial versions of Zimbra in their default configurations.
The vulnerabilities were reported on March 11 and an initial fix, released on March 31, failed to properly address the issue. The comprehensively patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.
“Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server,” said Scannell. “As the hex-string representation of a SHA-256 can’t contain whitespaces, no new-lines can be injected anymore.”
Sonar disclosed the flaw on June 14.
Scannell concluded his write-up by observing that cross-site scripting (XSS) and SQL injection flaws arising from a lack of input escaping “have been well known and documented for decades”, but that “other injection vulnerabilities can occur that are less known and can have a critical impact”.
As a consequence, Scannell recommends that developers “be aware of special characters that should be escaped when dealing with technology where less documentation and research about potential vulnerabilities exists”.
The vulnerability has emerged four months after Zimbra released a hotfix for an XSS flaw whose abuse underpinned a series of sophisticated spear-phishing campaigns linked to a previously unknown Chinese threat group.
Sonar also discovered a pair of Zimbra vulnerabilities last year that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.