SonarSource security researchers recently reported the existence of a vulnerability in the Horde Webmail app, a widespread application used to view email within a browser. The vulnerability allows an attacker to run webmail commands that give access to the entire account via malicious OpenOffice documents, including all saved emails. A maliciously crafted email sent to an account with administrator privileges would lead to the compromise of the entire email server and all accounts, as well as further lateral movement and privilege escalation opportunities. SonarSource privately disclosed the vulnerability to Horde approximately six months ago and asserts there was no return communication, and now is making a public announcement in accordance with accepted disclosure practices. There is currently no patch available for this vulnerability.
Analyst Notes
Email account compromise does not just risk the information in the user’s email account, but also via the abuse of trust relationships can lead to further compromise as attackers use one compromised account in order to compromise other accounts, including those with administrator access. A compromise of an account with administrator permissions can lead to compromise of the entire email server, as well as the ability to run arbitrary system commands, which can in turn lead to escalated access to an organization’s secured network.
SonarSource researchers noted an available mitigation that can be deployed given the absence of a patch: editing the config/mime_drivers.php file in order to disable the rendering of OpenOffice attachments:
https://therecord.media/unpatched-bug-allows-takeover-of-horde-webmail-accounts-servers/
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
