CISA says a zero-day in a popular free webmail package has been exploited in the wild – as security researchers at ESET said that “governmental entities” have been targeted with exploits abusing the cross site scripting vulnerability in the Roundcube Webmail server since October 11 this year.
Roundcube is a free and open source webmail package with a desktop-like user interface which runs on a standard open source server. Thousands of services make use of Roundcube to provide webmail to millions of users.
The vulnerability, allocated CVE-2023-5631 has a base CVSS of just 5.4. It was reported by ESET to Roundcube’s open source maintainers on October 12 and patched within 48 hours – an impressive turnaround.
The bug lets attackers target server-side script, which doesn’t properly sanitise malicious SVG documents before they are added to the HTML page interpreted by Roundcube user, ESET’s researchers said this week.
They attributed the attacks to “Winter Vivern” – a cyberespionage group that, according to security company SentinelOne, is aligned with the interests of Belarus and Russia’s governments. The group (also tracked as TA473 and UAC-0114) has targeted a range of government organizations, as well as telecoms companies, and typically starts its campaigns with phishing.
“No manual interaction other than viewing the message in a web browser is required,” ESET explained on October 25 – adding that “despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”
The flaw is patched in versions 1.6.4, 1.5.5, and 1.4.15.