Zimbra bug allows stealing email logins with no user interaction

Technical details have emerged on a high-severity vulnerability affecting certain versions of the Zimbra email solution that hackers could exploit to steal logins without authentication or user interaction.

The security issue is currently tracked as CVE-2022-27924 and impacts Zimbra releases 8.8.x and 9.x for both open-source and the commercial versions of the platform.

A fix has been published in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, available since May 10, 2022. Zimbra is often used by organizations worldwide, including those in the government, financial, and educational sectors.

Silently siphoning credentials

The flaw has been described in a report from researchers at SonarSource, who summarized it as “Memcached poisoning with an unauthenticated request.” Exploitation is possible via a CRLF injection into the username of Memcached lookups.

Memcached is an internal-service instance that stores key/value pairs for email accounts to improve Zimbra’s performance by reducing the number of HTTP requests to the Lookup Service. Memcache sets and retrieves those pairs using a simple text-based protocol.

Zimbra's request routing diagram
Zimbra’s request routing diagram (SonarSource)

The researchers explain that a malicious actor could overwrite the IMAP route entries for a known username via a specially crafted HTTP request to the vulnerable Zimbra instance. Then, when the real user logs in, the Nginx Proxy in Zimbra would forward all IMAP traffic to the attacker, including the credentials in plain text.

HTTP request (above) and message sent to server (below)
HTTP request (above) and message sent to server (below) (SonarSource)

“Usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk,” explains SonarSource in the report, highlighting that the exploit doesn’t require any user interaction.

“When the Mail client restarts or needs to re-connect, which can happen periodically, it will re-authenticate itself to the targeted Zimbra instance,” add the researchers.

Knowing the victim’s email address, a piece of information that is typically easy to find, and using an IMAP client allows the attacker to exploit the vulnerability easier but these details are not mandatory.

A second exploitation technique allows bypassing the above restrictions to steal credentials for any user with no interaction and without any knowledge about the Zimbra instance.

This is achieved through “Response Smuggling,” an alternative route that leverages the use of a web-based client for Zimbra.

“The idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response. This works because Zimbra did not validate the key of the Memcached response when consuming it.” – SonarSource

This way, an attacker could hijack the proxy connection of random users whose email addresses are unknown, still not requiring any interaction and or generating any alerts for the victim.

Fix and timeline

SonarSource disclosed their findings with Zimbra on March 11, 2022. A first patch was released on March 31, 2022 but it was insufficient to fix the issue.

On May 10, the software vendor addressed the issues via ZCS 9.0.0 Patch 24.1, and ZCS 8.8.15 Patch 31.1, by creating an SHA-256 hash of all Memcache keys before being sent to the server.

SHA-256 cannot contain whitespaces, so no new lines can be created for the CRLF injection, and no poisoning attacks can take place on the patched versions.

It’s worth noting that Zimbra released ZCS 9.0.0 Patch 25 and ZCS 8.8.15 Patch 32 updates yesterday with an update to OpenSSL 1.1.1n, which addresses an infinite loop vulnerability causing a denial of service, tracked as CVE-2022-0778.

Source: www.bleepingcomputer.com