CVE-2024-42008
📋 TL;DR
A Cross-Site Scripting vulnerability in Roundcube webmail allows attackers to steal and send victims' emails via malicious email attachments with dangerous Content-Type headers. This affects Roundcube versions through 1.5.7 and 1.6.x through 1.6.7. Attackers can execute arbitrary JavaScript in the victim's browser context.
💻 Affected Systems
- Roundcube Webmail
📦 What is this software?
Webmail by Roundcube
Webmail by Roundcube
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of email accounts, allowing attackers to read all emails, send emails as the victim, steal contacts, and potentially access other services via password reset emails.
Likely Case
Theft of sensitive emails, unauthorized email sending, and potential credential harvesting from email content.
If Mitigated
Limited impact with proper content security policies, email filtering, and user awareness training.
🎯 Exploit Status
Exploitation requires the victim to open a malicious email attachment. The vulnerability is in the mail_get action handler.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.8 or 1.6.8
Vendor Advisory: https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
Restart Required: Yes
Instructions:
1. Backup your Roundcube installation and database. 2. Download the patched version (1.5.8 or 1.6.8) from the official repository. 3. Replace the existing installation with the patched version. 4. Restart your web server (Apache/Nginx). 5. Clear browser caches and test functionality.
🔧 Temporary Workarounds
Content Security Policy Enhancement
allImplement stricter Content Security Policy headers to limit script execution
Add to web server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Add to .htaccess: Header always set Content-Security-Policy "default-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self';"
Email Attachment Filtering
linuxConfigure email filtering to block or quarantine emails with suspicious Content-Type headers
Postfix: header_checks = regexp:/etc/postfix/header_checks
Add to header_checks: /^Content-Type:.*(application\/x-javascript|text\/html)/ REJECT
Dovecot: sieve scripts to filter suspicious attachments
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to limit script execution
- Deploy web application firewall rules to detect and block XSS payloads in email content
🔍 How to Verify
Check if Vulnerable:
Check Roundcube version in config/main.inc.php or via the web interface settings pageCheck Version:
grep -r '\$config\[\'version\'\]' /path/to/roundcube/config/ || cat /path/to/roundcube/index.php | grep 'Version'Verify Fix Applied:
Verify version is 1.5.8 or higher for 1.5.x branch, or 1.6.8 or higher for 1.6.x branch📡 Detection & Monitoring
Log Indicators:
- Unusual email access patterns
- Multiple failed login attempts followed by successful login
- Emails sent from user accounts without corresponding user activity
Network Indicators:
- Unusual outbound connections from webmail server
- Suspicious JavaScript payloads in HTTP requests
SIEM Query:
source="roundcube_logs" AND ("mail_get" OR "attachment" OR "Content-Type") AND ("script" OR "javascript" OR "alert(")🔗 References
- https://github.com/roundcube/roundcubemail/releases
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.8
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
- https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
