Roundcube Webmail: Attacks with forged attachments
IT security researchers have observed attacks on a stored cross-site scripting vulnerability in Roundcube Webmail. An update is available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Attackers are attempting to abuse a security vulnerability in the webmailer Roundcube, which is frequently used by universities and government organizations. The attackers specifically tried to access the access data and other emails of potential victims, i.e. to spy on them.
Positive Technologies writes in an analysis that they discovered the attacks in September 2024. An email dated June was sent to a government organization in a CIS state. The email did not appear to contain any text, only an attachment. However, the attachment was not displayed in the client. A Java command in the mail body decoded Javascript code, which is executed. The attribute name "href " with an additional space was an indication that the vulnerability CVE-2024-37383 in Roundcube had been attacked.
Roundcube vulnerability
The vulnerability is a cross-site scripting vulnerability in the processing of SVG Animate attributes. It was closed in versions Roundcube 1.5.7 and 1.6.7 in May. The vulnerability allows attackers to execute JavaScript code in the context of users.
Videos by heise
The attacker mail used the decoded Javascript instructions to save an empty document "Road map.docx", which was Base64-encoded. They also attempted to receive messages from the mail server with the Managesieve plug-in. The code also displayed an authorization form for the access data to the Roundcube client. Here, the attackers hope that the fields will be filled in automatically or manually by the victims, who believe that they need to log in again.
The intercepted credentials were sent by the script code to a libcdn URL registered on June 6, 2024. As a further indication of an infection, the analysis mentions the URL rcm.codes, to which mailbox content was sent. Positive Technologies cannot attribute the unknown attackers to any known group.
IT managers should ensure that they use a secure version of Roundcube. If updates are available, they should also not hesitate to install them. Roundcube instances are apparently a popular target for cybercriminals.
In August, the Roundcube developers released the new versions 1.5.8 and 1.6.8. They have closed three security gaps, including one classified as a critical risk. These versions are already protected against the vulnerability under attack.
(dmk)
