Three vulnerabilities affecting Roundcube allow attackers to exfiltrate data to an attackers server and to carry out actions on the users behalf. Roundcube is a popular open-source webmail application which is used by government agencies, cPanel / hosting providers, and academic institutions. The following three vulnerabilities in Roundcube have been identified and a fix is currently available:
CVE-2024-42009: This Cross-Site Scripting (XSS) flaw allows an attacker to steal and send emails from a victim’s account through a specially crafted email message. Exploitation of this vulnerability requires only that the victim views the attacker’s email.
CVE-2024-42008: Another XSS vulnerability, this one enables an attacker to compromise a victim’s email account via a malicious email attachment. Exploiting this flaw requires the victim to click on the attachment, although attackers can make this interaction less obvious.
CVE-2024-42010: This flaw involves insufficiently filtered Cascading Style Sheets (CSS) token sequences in email messages. It allows an attacker to extract sensitive information from the victim.
The Sonar vulnerability researcher notes that with CVE-2024-42009, no further user action is needed beyond viewing the email, whereas CVE-2024-42008 does require a click, but attackers can make this step less noticeable. An example of CVE-2024-42009 can be found on YouTube here.
The vulnerabilities have been addressed in Roundcube versions 1.6.8 and 1.5.8. It’s noted that the detailed technical aspects of these vulnerabilities are currently being held back to allow admins some time to update their systems. They expect that dedicated attackers such as those from the Winter Vivern group may continue to look out for similar vulnerabilities, as they have done in the past.
If you run a Roundcube instance, you are strongly encouraged to upgrade to versions 1.6.8 or 1.5.8 immediately. Users who believe they may be affected should change their email passwords and clear their browser’s site data for the Roundcube mail client.
Some past Roundcube exploits include:
June 2023: Recorded Future revealed a spear-phishing campaign targeting Ukrainian state organisations, exploiting CVE-2020-35730 (an XSS vulnerability) and CVE-2021-44026 (an SQL injection flaw) to access data from Roundcube.
October 2023: ESET reported that the Winter Vivern APT was targeting European government entities and a think tank using an XSS zero-day vulnerability (CVE-2023-5631).
Late 2023: Roundcube maintainers began addressing a series of XSS vulnerabilities.
February 2024: The Cybersecurity and Infrastructure Security Agency (CISA) instructed US federal agencies to fix an XSS vulnerability (CVE-2023-43770) that had been exploited by unknown attackers.