Critical Roundcube Flaw Allows Remote Code Execution by Attackers
Roundcube Webmail, one of the most widely used browser-based IMAP clients, has released urgent security updates for its 1.6 and 1.5 LTS versions.
The newly published versions, 1.6.11 and 1.5.10, address a critical post-authentication remote code execution (RCE) vulnerability stemming from PHP object deserialization.
This flaw, reported by security researcher firs0v, could allow attackers with valid credentials—or access to an authenticated session—to execute arbitrary PHP code on the server, posing significant risks to data integrity and server control.
PHP Object Deserialization Vulnerability
The vulnerability centers on the improper handling of user-controlled input by PHP’s unserialize() function.
If exploited, an attacker can craft a malicious payload that, once deserialized by the server, triggers unintended object behavior and enables code execution.
The following code snippet, extracted from a public exploit, demonstrates how a malicious serialized object can be injected to achieve RCE:
python@dataclass
class Exploit:
"""Roundcube authenticated RCE exploit using CVE-2024-2961 (CNEXT)."""
# ... (setup omitted for brevity)
def overwrite_session_preferences(self, heap: int) -> None:
# Overwrite session hashmap to create a fake `preferences` key-value
VALUE = qs.decode_bytes(
"""a:2:{i:7;O:31:"GuzzleHttpCookieFileCookieJar":4:{s:36:"..."""
)
# The payload results in a web shell being written to the server
This exploit leverages the unserialize vulnerability to write a PHP web shell, such as , to the server, granting the attacker remote command execution capabilities.
Summary of Fixes and Enhancements
Both 1.6.11 and 1.5.10 releases not only patch the RCE vulnerability but also deliver several bug fixes and improvements.
The updates address issues such as dark mode rendering, HTML message previews, and LDAP connectivity.
The table below summarizes the key changes in each release:
| Version | Security Fixes | Bug Fixes & Enhancements |
|---|---|---|
| 1.6.11 | Post-auth RCE via PHP object deserialization | – Improved OAuth token refresh – Fixed dark mode blockquote colors – HTML message preview fixes – LDAP ldapi:// support – UI improvements (removed floating buttons) |
| 1.5.10 | Post-auth RCE via PHP object deserialization | – Fixed managesieve_kolab_master script state – Restored inline SVG in mail preview |
Upgrade Recommendations and Best Practices
Given the severity of the vulnerability, all users and administrators are strongly advised to upgrade their Roundcube installations to the latest versions immediately.
It is essential to back up all data before applying updates to prevent data loss.
Regularly updating web applications and monitoring for new security advisories are crucial steps in maintaining a secure environment, especially as cyber threats evolve.
For full changelogs and further technical details, users should consult the official Roundcube release notes on GitHub.
The release of Roundcube 1.6.11 and 1.5.10 underscores the importance of timely security updates in webmail platforms.
By addressing a critical PHP object deserialization flaw, these updates help safeguard user data and maintain the reliability of email communications for individuals and organizations worldwide.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
