Analysis Summary

Security researchers have revealed vulnerabilities in the Roundcube webmail program that, in some situations, might be used to launch malicious JavaScript in a victim's web browser and take sensitive data from their account.

An attacker can run any JavaScript code on the victim's browser when the victim opens a malicious email they sent using Roundcube. Attackers can send emails from the victim's account and leverage the vulnerability to steal contacts, emails, and the victim's email password. Roundcube versions 1.6.8 and 1.5.8, which were made available on August 4, 2024, have fixed the three vulnerabilities after their responsible disclosure on June 18, 2024.

The vulnerabilities are CVE-2024-42008 which is a risky cross-site scripting vulnerability through a malicious attachment in emails that come with a malicious Content-Type header, CVE-2024-42009 is a cross-site scripting vulnerability that results from post-processing cleaned HTML text, and CVE-2024-42010 is a vulnerability in information leakage caused by inadequate CSS filtering.

According to the researchers, if the aforementioned vulnerabilities are effectively exploited, unauthenticated attackers may be able to send and receive emails from a victim's account, as well as steal emails and contacts, all after viewing a specially constructed email in Roundcube. Through repeated browser restarts, attackers can establish a persistent foothold in the victim's browser, giving them the ability to continue harvesting emails or steal the victim's password the next time it is typed.

To successfully exploit the major XSS vulnerability (CVE-2024-42009), the attacker only needs the victim to view the email. For CVE-2024-42008, the exploit only requires the victim to click once, however, the attacker can conceal this interaction from the user. Further technical information regarding the problems has been kept under wraps to allow users to update to the most recent version and because nation-state actors such as APT28, Winter Vivern, and TAG-70 have frequently taken advantage of vulnerabilities in the webmail software.

The results coincide with information that has surfaced regarding an open-source RaspAP project maximum-severity local privilege escalation vulnerability (CVE-2024-41637, CVSS score: 10.0) that enables an attacker to elevate to root and carry out many crucial commands. Version 3.1.5 has been updated to address the issue. The www-data user can write to the restapi.service file and can run numerous important commands without a password thanks to sudo privileges. By altering the service to run arbitrary code with root privileges, an attacker can escalate their access from www-data to root thanks to this combination of permissions.

Impact

• Exposure of Sensitive Data
• Unauthorized Access
• Cross-Site Scripting
• Information Theft

Indicators of Compromise

CVE

• CVE-2024-42008
• CVE-2024-42009
• CVE-2024-42010

• Upgrade to the latest version of Roundcube, available from their website.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Raising awareness among users about the risks associated with downloading apps from unknown or untrusted sources is crucial. Users should be educated about the importance of verifying app permissions and conducting background research on developers before installing apps.
• Implement reputable mobile security solutions on devices that can help detect and block malicious apps. Mobile antivirus and anti-malware software can provide an additional layer of protection against potential threats.
• Maintain regular and secure backups of critical data, ensuring that data can be restored in case of a cyberattack.
• Employ network monitoring and intrusion detection systems to detect and respond to suspicious activities in real-time.
• Enforce the principle of least privilege, granting users only the minimum access required to perform their tasks.