Alert: Roundcube Flaws Put User Emails And Passwords At Risk
Cybersecurity researchers at Sonar have recently uncovered Roundcube flaws pertaining to Webmail software. Threat actors can exploit these Webmail software security flaws to execute malicious JavaScript code and steal emails and passwords. In this article, we dive into details of the potential exploits and uncover the vulnerabilities involved. Let’s begin!
Roundcube Flaws: Initial Discovery And Disclosure
The Roundcube flaws were disclosed by Sonar in an analysis published on June 18, 2024. As per the analysis, a total of three vulnerabilities were identified and have been addressed in Roundcube versions 1.6.8 and 1.5.8. These Roundcube flaws are being tracked as:
- CVE-2024-42008 – cross-site scripting flaw that could be exploited through a malicious email attachment served with a dangerous Content-Type header.
- CVE-2024-42009 – cross-site scripting flaw which prevails due to the post-processing of sanitized HTML content.
- CVE-2024-42010 – information disclosure flaw rooted in CSS filtering insufficiency.
Providing further details about the Webmail software security flaws, Sonar has stated that:
“When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim’s browser. Attackers can abuse the vulnerability to steal emails, contacts, and the victim’s email password as well as send emails from the victim’s account.”
Webmail Software Security Flaw Attack Analysis
Recent reports claim that threat actors aiming to exploit the Roundcube flaws initiate the attack by sending a malicious email. It’s worth mentioning here that for an exploit of the critical XSS vulnerability, CVE-2024-42009, to be successful, no user interaction other than viewing the email is required.
For a successful exploit of CVE-2024-42008, a single click from the target user is needed, however, threat actors do have the capability to make the interaction unobvious for the user. After the exploit is completed, hackers can acquire the victim’s email and contacts. In addition, they can also send emails from the compromised account.
What makes the possibility of such exploits highly severe is that hackers can continuously extract email and the password when it’s entered after the account has been compromised. However, for such attack capabilities, they must develop a persistent foothold in the victim’s browser across multiple restarts.
As of now further details have not been revealed given that nation-state threat actors have been identified exploiting these Roundcube flaws. These threat actors include APT28, Winter Vivern, and TAG-70. The details have been withheld so that the users have time for updating to the protected version.
Apart from the vulnerability mentioned above, experts have also discovered a privilege escalation flaw in the RaspAP open-source project. The flaw is being tracked as CVE-2024-41637 and has a critical vulnerability severity score (CVSS) of 10.0, given that it can be exploited to gain root access and execute critical commands.
Conclusion
The recent Roundcube vulnerabilities pose significant risks, enabling attackers to steal sensitive data with minimal user interaction. Users are strongly urged to update to the latest versions, 1.6.8 or 1.5.8, to mitigate these threats. In addition, to mitigate risk and ensure protection in an evolving threat landscape, individual and organizational users must deploy robust protection measures.
The sources for this piece include articles in The Hacker News and Security Affairs.