A new dangerous vulnerability has been discovered in the Zimbra mail service, which allows an unauthorized attacker to steal user passwords without interacting with him.
«By compromising the victim’s mailbox, an attacker can gain access to various internal services and steal confidential information“, — the SonarSource report says.
Vulnerability CVE-2022-27924 with a CVSS score of 7.5 is characterized as a case of “Memcached infections by an unauthenticated request”, which allows an attacker to run malicious commands and steal confidential information.
This was made possible by infecting the IMAP route cache entries on the Memcached server, which is used to search for Zimbra users and forward their HTTP requests.
relevant internal services.
Given that Memcached analyzes incoming requests line by line, the vulnerability allows an attacker to send a specially created search query with CRLF characters to the server, as a result of which the server executes unintended commands. An attacker can subsequently modify cache entries to redirect all IMAP traffic to the attacker’s server.
After the vulnerability was discovered, Zimbra released security updates fixing the problem for versions 8.8.15 P31.1
and 9.0.0 P24.1.