A high-severity security flaw has been disclosed in the Zimbra email suite, which allows the stealing of login credentials. Recently, the CISA added this flaw to its Known Exploited Vulnerabilities Catalog.
The exploitation of the vulnerability allows an attacker to steal email account credentials in cleartext form from Zimbra Collaboration suites even without user interaction.
Further, an attacker can carry out Memcache poisoning using CRLF injection to fool the software into forwarding all the IMAP traffic to the attacker when legitimate users try to log in.
Looking at the severity of this bug, the CISA has added it to the catalog of actively exploited flaws, thus, mandating all federal agencies in the U.S. to apply the security updates until the set deadline of August 25.
How does the attack work?
The bug is characterized as a case of Memcached poisoning, allowing an attacker to inject malicious commands and steal information.
It happens by poisoning the IMAP route cache entries inside the Memcached server that is used for looking up Zimbra users and forwarding HTTP requests to suitable backend services.
Memcached parses incoming requests line-by-line using a text-based protocol. This indicates that the flaw allows an attacker to send a specially crafted lookup request to the server with CRLF characters, to run unintended commands.
Further, an attacker can use response smuggling, which is used for smuggling unauthorized HTTP responses and forwarding IMAP traffic to a rogue server.
Zimbra already released a security update on May 10 with the release of ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1.
Non-federal agencies and organizations that haven't patched their products are vulnerable to attacks. Thus, it is recommended to apply the security patch as soon as possible to prevent any possibility of exploitation. An effective patch management program can also protect businesses from such threats.