Security Concerns in Roundcube Webmail
Security experts have discovered several vulnerabilities in the Roundcube webmail program that could allow attackers to inject malicious JavaScript into a user’s browser, leading to the theft of sensitive data from their account.
You might be interested in: Over a Million Domains Exposed to Hijacking
According to a report from the cybersecurity firm Sonar, “when a victim views a malicious email in Roundcube, sent by an attacker, the attacker can run arbitrary JavaScript in the victim’s browser.”
These vulnerabilities could let attackers steal emails, contacts, the victim’s email password, and even send emails from the victim’s account.
Patch Released for Roundcube
Roundcube versions 1.6.8 and 1.5.8, released on August 4, 2024, address three identified vulnerabilities that were responsibly disclosed on June 18, 2024. The vulnerabilities include:
- CVE-2024-42008: This is a cross-site scripting (XSS) vulnerability in the Content-Type header of a malicious email attachment.
- CVE-2024-42009: An XSS vulnerability arising from the post-processing of cleaned HTML text.
- CVE-2024-42010: A vulnerability caused by insufficient CSS filtering, leading to information leakage.
If these vulnerabilities are exploited, attackers can steal emails and contacts, send emails from the victimโs account, and gain continuous access to the victim’s browser, even after it is restarted.
Exploitation Details
According to Oskar Zeino-Mahmalat, exploiting the main XSS vulnerability (CVE-2024-42009) requires only that the victim views the email. For CVE-2024-42008, the victim must click once, but the attacker can hide this interaction from the user.
Details on these vulnerabilities have been withheld to give users time to update to the latest version and to prevent exploitation by nation-state actors like APT28, Winter Vivern, and TAG-70, who have a history of targeting webmail software vulnerabilities.
Additional Security Issue in RaspAP Project
In related news, a severe local privilege escalation vulnerability (CVE-2024-41637) has been discovered in the open-source RaspAP project. With a maximum CVSS score of 10.0, this flaw allows attackers to elevate their access to root and execute critical commands. Version 3.1.5 has been released to fix this issue.
A vulnerability researcher known as 0xZon1 explained, “the www-data user has write access to the restapi.service file and sudo privileges to execute several critical commands without a password. This combination allows an attacker to modify the service to run arbitrary code with root privileges, escalating their access from www-data to root.”
Conclusion
It’s crucial for users of Roundcube and RaspAP to update their software to the latest versions immediately to protect against these vulnerabilities. Cybersecurity threats are continuously evolving, and staying up-to-date with the latest patches is a vital part of maintaining security. Regularly updating software and being cautious about email attachments and links are essential practices to prevent exploitation by attackers.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.