ClickCease Alert: Roundcube Flaws Put User Emails And Passwords At Risk - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Alert: Roundcube Flaws Put User Emails And Passwords At Risk

by Wajahat Raja

August 21, 2024 - TuxCare expert team

Cybersecurity researchers at Sonar have recently uncovered Roundcube flaws pertaining to Webmail software. Threat actors can exploit these Webmail software security flaws to execute malicious JavaScript code and steal emails and passwords. In this article, we dive into details of the potential exploits and uncover the vulnerabilities involved. Let’s begin!

Roundcube Flaws: Initial Discovery And Disclosure

The Roundcube flaws were disclosed by Sonar in an analysis published on June 18, 2024. As per the analysis, a total of three vulnerabilities were identified and have been addressed in Roundcube versions 1.6.8 and 1.5.8. These Roundcube flaws are being tracked as:

  • CVE-2024-42008 – cross-site scripting flaw that could be exploited through a malicious email attachment served with a dangerous Content-Type header.
  • CVE-2024-42009 – cross-site scripting flaw which prevails due to the post-processing of sanitized HTML content.
  • CVE-2024-42010 – information disclosure flaw rooted in CSS filtering insufficiency.

Providing further details about the Webmail software security flaws, Sonar has stated that:

“When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim’s browser. Attackers can abuse the vulnerability to steal emails, contacts, and the victim’s email password as well as send emails from the victim’s account.”

Webmail Software Security Flaw Attack Analysis

Recent reports claim that threat actors aiming to exploit the Roundcube flaws initiate the attack by sending a malicious email. It’s worth mentioning here that for an exploit of the critical XSS vulnerability, CVE-2024-42009, to be successful, no user interaction other than viewing the email is required.

For a successful exploit of CVE-2024-42008, a single click from the target user is needed, however, threat actors do have the capability to make the interaction unobvious for the user. After the exploit is completed, hackers can acquire the victim’s email and contacts. In addition, they can also send emails from the compromised account.

What makes the possibility of such exploits highly severe is that hackers can continuously extract email and the password when it’s entered after the account has been compromised. However, for such attack capabilities, they must develop a persistent foothold in the victim’s browser across multiple restarts.

As of now further details have not been revealed given that nation-state threat actors have been identified exploiting these Roundcube flaws. These threat actors include APT28, Winter Vivern, and TAG-70. The details have been withheld so that the users have time for updating to the protected version.

Apart from the vulnerability mentioned above, experts have also discovered a privilege escalation flaw in the RaspAP open-source project. The flaw is being tracked as CVE-2024-41637 and has a critical vulnerability severity score (CVSS) of 10.0, given that it can be exploited to gain root access and execute critical commands.

Conclusion

The recent Roundcube vulnerabilities pose significant risks, enabling attackers to steal sensitive data with minimal user interaction. Users are strongly urged to update to the latest versions, 1.6.8 or 1.5.8, to mitigate these threats. In addition, to mitigate risk and ensure protection in an evolving threat landscape, individual and organizational users must deploy robust protection measures.

The sources for this piece include articles in The Hacker News and Security Affairs.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!