Two cross-site scripting vulnerabilities (CVE-2024-42009, CVE-2024-42008) affecting Roundcube could be exploited by attackers to steal users’ emails and contacts, email password, and send emails from their account.
About the vulnerabilities
Roundcube is an open-source webmail software solution popular with European government agencies, hosting providers and academic institutions around the world.
CVE-2024-42009 and CVE-2024-42008 are both XSS bugs. The former allows a remote attacker to steal and send emails of a victim via a crafted e-mail message, the latter allows the same via a malicious e-mail attachment.
“No user interaction beyond viewing the attacker’s email is required to exploit [CVE-2024-42009]. For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user,” Sonar vulnerability researcher Oskar Zeino-Mahmalat noted.
“When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim’s browser. Attackers can gain a persistent foothold in the victim’s browser across restarts, allowing them to exfiltrate emails continuously or steal the victim’s password the next time it is entered.”
A third flaw – CVE-2024-42010 – allows insufficiently filtered Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, thereby allowing a remote attacker to obtain sensitive information.
A video demo of the attack via CVE-2024-42009 can be viewed here.
The three vulnerabilities have been fixed in Roundcube versions 1.6.8 and 1.5.8.
“We won’t disclose the technical details of the vulnerabilities at this time to give users time to update. We suspect that this won’t stop dedicated attackers like Winter Vivern for long, who have already shown that they can discover similar XSS vulnerabilities on their own,” Zeino-Mahmalat said.
“We strongly advise Roundcube administrators to apply the latest patch, version 1.6.8, or 1.5.8, as soon as possible to protect their organization’s users. Users who suspect that they are affected should change their email password and additionally clear the site data of the Roundcube site they are using in their browser.”
Roundcube XSS flaws are prized by attackers
In June 2023, Recorded Future exposed a spear-phishing campaign aimed at Ukrainian state organizations, which exploited CVE-2020-35730 and CVE-2021-44026 – an XSS and a SQL injection flaw, respectively – to steal information from the entities’ Roundcube database.
In October 2023, ESET researchers spotted the Winter Vivern APT targeting European governmental entities and a think tank via a XSS zero-day (CVE-2023-5631).
Since late 2023, Roundcube maintainers have been steadily fixing a number of XSS vulnerabilities.
In February 2024, CISA ordered US federal government agencies to plug a Roundcube XSS flaw (CVE-2023-43770) exploited by unknown attackers.