Skip to content

CISAnalysis 05 August 2022

A bug discovered back in March has been added to CISA’s Known Exploited Vulnerabilities Catalog. This high severity bug, tracked as CVE-2022-27924, affects certain versions of the Zimbra email solution.

 CVE-2022-27924 allows unauthenticated attackers to steal user’s cleartext login credentials from a targeted Zimbra deployment without user interaction via a CRLF injection into the username of a Memcached lookups. This weakness is classified under CWE-74.

Memcached is a free and open source memory object caching system. It improves Zimbra’s performance by storing key/value pairs for email accounts and reducing the number of HTTP requests by the Lookup Service.  

According to researchers SonarSource, the bug’s discoverers, there are two possible exploitation techniques:

  • Strategy one requires the use of known email addresses. We all know how easy it is to find email addresses online using publicly available info or by simply guessing the address based on the standard business email setup: The user must also use an IMAP client.
  • Strategy two bypasses the restrictions of the first method by “Response Smuggling,” allowing the attacker to “steal cleartext credentials from any vulnerable Zimbra instance without requiring any knowledge about the instance.”

Once a user logs in, their cleartext credentials are sent to the attacker.

A patch for CVE-2022-27924 was released by Zimbra back in May that has been verified by Sonar to resolve the vulnerability by creating an SHA-256 hash of all Memcached keys before they are sent to the server.

Image: Brett Jordan

#cisanalysis #cisa #CVE-2022-27924

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.



Click one of our contacts below to chat on WhatsApp