Unpatched vulnerability exposes Horde webmail servers to attacks

The Horde webmail software is affected by a severe vulnerability that can be exploited to gain full access to an organization’s emails.

The flaw, discovered by researchers at application security firm Sonar (formerly SonarSource), is identified as CVE-2022-30287 and can be exploited by tricking a user into opening a specially crafted email. Sonar made public on Wednesday the technical details of the security bug.

The cybersecurity company said safety week that a Shodan search shows over 3,000 instances exposed to the Internet worldwide, and there are likely many more internal instances that can still be exploited if an organization’s mail server is exposed.

“This vulnerability allows an attacker to compromise an entire organization’s email service. The only condition is that only one member of that organization views a maliciously crafted email,” Simon Scannell, vulnerability researcher at Sonar, said via email.

Although exploiting the vulnerability requires authentication, the flaw can also be exploited remotely by an unauthenticated attacker using Cross-Site Request Forgery (CSRF). An attacker can create an email containing an external image, which exploits the vulnerability when rendered.

Successful exploitation of the flaw allows the attacker to execute arbitrary code on the underlying server.

“If a sophisticated adversary could compromise a webmail server, they could intercept all emails sent and received, access password reset links, sensitive documents, impersonate personnel, and steal all information credentials of users connecting to the webmail service,” Sonar warned in its blog post. .

Sonar researchers noted that Horde should block the default image, but they showed how an attacker can circumvent this restriction. The attack works against default Horde setups and requires no knowledge of the targeted instance.

The company noted that the exploit also causes the clear-text credentials of the user triggering the exploit to be leaked to the attacker.

The Horde is no longer actively maintained. However, the developers of Horde apparently always release patches for security vulnerabilities, including for a XSS Vulnerability revealed by Sonar in February. It’s worth noting that the fix came after the issue was publicly disclosed, more than six months after it was reported to the developers.

This XSS flaw could have been exploited to gain full access to the targeted user’s email account by causing them to load a preview of an attachment.

An XSS vulnerability was also patched by Horde developers in 2021.

Related: Malicious Emails Can Crash Cisco Email Security Appliances

Related: SonicWall fixes bug Y2K22 in email security, firewall products

Related: Unpatched Vulnerability Allows Hackers to Steal RainLoop User Emails

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer science teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:
Key words: