Hackers usually opt for zero-day vulnerabilities because they are not publicly known, making them more difficult for defenders to patch or protect against.
This gives hackers an advantage by exploiting a flaw before it’s discovered and fixed, increasing the possibility of a successful attack.
Cybersecurity researchers at ESET have been actively monitoring the “Winter Vivern,” who, on October 11, 2023, started exploiting a new zero-day XSS vulnerability in Roundcube Webmail.
However, besides this, this exploit is distinguishable from their previous CVE-2020-35730 exploit. The campaign aimed at European governmental entities and a think tank’s Roundcube Webmail servers.
Vulnerability Disclosure Timeline
Here below, we have mentioned the complete vulnerability disclosure timeline:-
- 2023-10-12: ESET Research reported the vulnerability to the Roundcube team.
- 2023-10-14: The Roundcube team responded and acknowledged the vulnerability.
- 2023-10-14: The Roundcube team patched the vulnerability.
- 2023-10-16: The Roundcube team released security updates to address the vulnerability (1.6.4, 1.5.5, and 1.4.15).
- 2023-10-18: ESET CNA issues a CVE for the vulnerability (CVE-2023-5631).
- 2023-10-25: ESET Research analysis published.
Roundcube Zero-day Flaw
The XSS vulnerability (CVE-2023-5631) is exploited via specially crafted email messages sent from team.managment@outlook[.]com with the subject “Get started in your Outlook.”
While initially, the complete email seems legit but, the email hides a base64-encoded payload within an SVG tag. Decoding this payload in the href attribute reveals the underlying code:-
The invalid URL triggers the error attribute, leading to the execution of JavaScript code within the victim’s browser during their Roundcube session.
The zero-day XSS vulnerability impacting Roundcube’s rcube_washtml.php script was discovered and reported by researchers.
It was successfully patched on October 14th, 2023, and affects Roundcube versions:-
- 1.4.x (prior to 1.4.15)
- 1.5.x (before 1.5.5)
- 1.6.x (before 1.6.4)
Attackers could exploit this vulnerability by sending a specially crafted email, allowing arbitrary JavaScript code execution in the victim’s browser window without manual interaction, leading to the second stage of a JavaScript loader called checkupdate.js.
The emails and folder data can be retrieved and transmitted by the ultimate JavaScript payload from the victim’s Roundcube account to the command and control server via HTTPS requests.
The group, despite using less advanced tools, poses a threat to European governments due to its persistence, frequent phishing campaigns, and the prevalence of unpatched, vulnerable internet-facing applications.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.