{"id":27820,"date":"2024-10-24T10:03:44","date_gmt":"2024-10-24T10:03:44","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=27820"},"modified":"2024-10-24T10:03:44","modified_gmt":"2024-10-24T10:03:44","slug":"roundcube-vulnerability-exploited","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/roundcube-vulnerability-exploited\/","title":{"rendered":"Roundcube Webmail Vulnerability Exploited in Real-World Attacks"},"content":{"rendered":"<p><strong>Vulnerability in Roundcube Webmail service<\/strong> appears to be exploited in real-world attacks. The flaw that falls under designation of stored XSS vulnerability allows hackers to target government agencies of ex-USSR countries that use this software solution. Researchers uncovered the nature of the attack, but it is difficult to guess who stands behind them.<\/p>\n<h2>Hackers Target ex-USSR Countries with Roundcube Webmail Vulnerability<\/h2>\n<p><a href=\"https:\/\/socradar.io\/roundcube-vulnerability-cve-2024-37383-exploited-in-phishing-attacks-targeting-government-agencies-for-credential-theft\/\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">Cybersecurity researchers reported<\/a> that they detected an attempt to exploit a vulnerability in the Roundcube Webmail client in the wild. The vulnerability in question is <strong>CVE-2024-37383<\/strong>, with a relatively low CVSS rating of 6.1. It was used in a phishing attack against CIS government organizations in June 2024. Researchers discovered a malicious email in one of these organizations that contained a hidden attachment that was not displayed in the email client. The attack was aimed at stealing credentials and email communications through exploitation of <a href=\"https:\/\/gridinsoft.com\/xss\">an XSS vulnerability<\/a> in Roundcube.<\/p>\n<figure id=\"attachment_27829\" aria-describedby=\"caption-attachment-27829\" style=\"width: 1066px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/fake-email.png\" alt=\"Fake email screenshot\" width=\"1066\" height=\"275\" class=\"size-full wp-image-27829\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/fake-email.png 1066w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/fake-email-300x77.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/fake-email-1024x264.png 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/fake-email-768x198.png 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/fake-email-860x222.png 860w\" sizes=\"auto, (max-width: 1066px) 100vw, 1066px\" \/><figcaption id=\"caption-attachment-27829\" class=\"wp-caption-text\">Fake email message that contains the exploit<\/figcaption><\/figure>\n<p>Roundcube Webmail is an open source email client written in PHP. It allows users to access their email accounts through the browser without the need to install additional apps. Actually, due to this fact, it is quite popular among commercial and governmental organizations and often attracts the interest of attackers.<\/p>\n<h2>Roundcube Webmail Vulnerability Exploitation<\/h2>\n<p>Vulnerability CVE-2024-37383 is a type of stored cross-site scripting (XSS) vulnerability and allows an attacker <strong>to execute JavaScript code on the victim&#8217;s end<\/strong>. The vulnerability affects versions of Roundcube Webmail 1.5.6 and below, as well as versions 1.6-1.6.6. In brief, the problem happens during processing the \u2018href\u2019 attribute of SVG elements.<\/p>\n<figure id=\"attachment_27831\" aria-describedby=\"caption-attachment-27831\" style=\"width: 1009px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/attribute-name.png\" alt=\"Attribute name with extra space screenshot\" width=\"1009\" height=\"189\" class=\"size-full wp-image-27831\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/attribute-name.png 1009w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/attribute-name-300x56.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/attribute-name-768x144.png 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/attribute-name-860x161.png 860w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><figcaption id=\"caption-attachment-27831\" class=\"wp-caption-text\">The distinctive attribute name with extra space<\/figcaption><\/figure>\n<p>Before displaying the mail message, while processing SVG elements with the attribute animate, Roundcube excluded elements containing the name of the attribute \u201chref\u201d. But because of the extra space, the function responsible for checking the attribute did not exclude the elements. As a result, the extra space in the attribute name allowed these elements to remain on the page and <strong>inject arbitrary JavaScript code<\/strong> as a value for \u2018href\u2019 and activate it when the email was opened.<\/p>\n<p>The sample attack included an email with a malicious script that used <strong>the eval(atob(&#8230;)) function<\/strong> to run encoded JavaScript code. The malicious email activated the download of an empty \u2018road map.docx\u2019 document, and in parallel, an attempt was made to exfiltrate messages from the mail server via the ManageSieve plugin. Additionally, the page displayed <a href=\"https:\/\/gridinsoft.com\/blogs\/spear-phishing\/\">a fake login form<\/a> that mimicked the Roundcube interface. This page requested a login and password, which were then eventually sent to the attacker to a remote server at libcdn[.]org hosted by Cloudflare. Despite a fairly extensive analysis, and previous incidents where groups such as APT28, Winter Vivern and TAG-70 have been implicated in attacks on Roundcube, experts were unable to find a link between this attack and any of the known APTs.<\/p>\n<h2>Mitigation and Fixes<\/h2>\n<p>Despite fixing the vulnerability in versions 1.5.7 and 1.6.7, which were released in May 2024, it appears that not all organizations updated their systems in a timely manner, leaving systems vulnerable to such attacks. In addition, even with updates to the above versions, <strong>the XSS vulnerability persisted<\/strong>. Fortunately, an updated version 1.6.9 is currently available, in which this flaw has been completely eliminated. So users and organizations are strongly recommended <strong>to upgrade to version 1.6.9<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability in Roundcube Webmail service appears to be exploited in real-world attacks. The flaw that falls under designation of stored XSS vulnerability allows hackers to target government agencies of ex-USSR countries that use this software solution. Researchers uncovered the nature of the attack, but it is difficult to guess who stands behind them. Hackers Target [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":27841,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[619,273],"class_list":{"0":"post-27820","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cybersecurity","9":"tag-xss-vulnerability"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/Roundcube-Webmail-vulnerability.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=27820"}],"version-history":[{"count":14,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27820\/revisions"}],"predecessor-version":[{"id":27840,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27820\/revisions\/27840"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/27841"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=27820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=27820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=27820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}