Researchers have revealed a memcached injection vulnerability in the business webmail platform Zimbra that could allow attackers to steal login credentials without user interaction.
Tracked as CVE-2022-27924 with a CVSS score of 7.5, once a mailbox is breached, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information.
The vulnerability makes it possible to steal cleartext credentials from the Zimbra instance when the mail client connects to the Zimbra server. Because newline characters (\r\n) were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached entries.
Memcached servers store key/value pairs that can be set and retrieved with a simple text-based protocol and interpret incoming data line by line.
Attackers could poison victims’ IMAP route cache entries by ascertaining the victim’s email address an easy enough task with OSINT methods but the researchers also successfully deployed response smuggling to steal cleartext credentials without first obtaining this information.
Since Zimbra did not validate the key of the Memcached response when consuming it. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses.
The flaw affects both open source and commercial versions of Zimbra in their default configurations.
The vulnerabilities were reported on March 11 and an initial fix, released on March 31, failed to properly address the issue. The comprehensively patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.