Zimbra is an enterprise-level email solution, similar to Microsoft Exchange. It comes with mail servers, load balancing features, a powerful web interface, and more.
Tracked as CVE-2022-27924 (CVSS score: 7.5), the issue has been characterised as a case of “Memcached poisoning with unauthenticated ask for,” . This case says an adversary can inject malicious commands and siphon delicate facts.
This is enabled by poisoning the IMAP path cache entrances in the Memcached web server. Finally they use of to search for Zimbra individuals and also ahead their HTTP demands to suitable backend solutions.
Given that Memcached incoming requests parse line-by-line, vulnerabilities allow an attacker to send a specially created lookup request to the server CRLF characters .This allows the server to execute unwanted commands.
However the flaw exists for the reason that “newline people (rn) are not escaped in untrusted person enter,” the scientists explained. “This code flaw eventually enables attackers to steal cleartext credentials from end users of focused Zimbra cases.” Reference image sonarsource:
Vulnerability (CVE-2022-27924) – CRLF injection in Memcached lookups
Memcached uses a text-based protocol that interprets incoming data line by line. This means that if an attacker would be able to inject newline characters into the username of Memcached lookup to execute malicious Memcached commands.
Patch for Zimbra
Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server. As the hex-string representation of a SHA-256 can’t contain whitespaces, no new-lines can be injected anymore.