Roundcube Webmail Active Exploits - 20230623002

Overview

Known vulnerabilities for Roundcube Webmail from 2020 and 2021 have recently been seen leveraged for targeted hacking campaigns, these vulnerabilities allow attackers to harvest emails of interest, and steal the targets' Roundcube address book, session cookies, and other valuable information stored within Roundcube's database. These vulnerabilities have exploits available to the public.

What is the vulnerability?

CVE-2020-35730 - CVSS v3 Base Score: 6.1 - XSS Vulnerability

CVE-2020-12641 - CVSS v3 Base Score: 9.8 - Remote Code Execution

CVE-2021-44026 - CVSS v3 Base Score: 9.8 - SQL Injection

What is vulnerable?

The vulnerability affects the following products:

• Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. (CVE-2020-35730)

• Roundcube Webmail before 1.4.4 (CVE-2020-12641)

• Roundcube Webmail before 1.3.17 and 1.4.x before 1.4.12 (CVE-2021-44026)

What has been observed?

CISA added this vulnerabilty to their Known Exploited Vulnerabilties catalog on 22 June 2023.

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing, but sources report governments in other countries have recently been targeted.

Recommendation

The WA SOC recommends administrators apply the updates and recommendations as per vendor instructions to all affected servers within 48 hours if internet-facing or one month otherwise, and perform comprehensive analysis & threat hunting if any vulnerable servers are found.

Additional References

• CISA orders govt agencies to patch bugs exploited by Russian hackers

• Russian APT Group Caught Hacking Roundcube Email Servers