CVE-2024-42009: 
Linux Debian vulnerability analysis and mitigation

A critical Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-42009 affects Roundcube through versions 1.5.7 and 1.6.x through 1.6.7. The vulnerability was discovered by Oskar Zeino-Mahmalat from Sonar and disclosed in August 2024. The flaw allows a remote attacker to steal and send emails of a victim via a crafted email message that exploits a Desanitization issue in message_body() function in program/actions/mail/show.php (NVD, Sonar Blog).

The vulnerability stems from a Desanitization issue in the HTML content processing of email messages. The flaw occurs in the message_body() function where post-processing of sanitized HTML content can lead to XSS. The CVSS v3.1 base score is 9.3 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N). The issue specifically involves the html4inline() function which transforms HTML documents into snippets, where a faulty regex for parsing attributes can break otherwise safe HTML, allowing malicious attributes to bypass sanitization (Sonar Blog).

The vulnerability allows an unauthenticated attacker to steal emails and contacts, as well as send emails from a victim's account. Attackers can gain a persistent foothold in the victim's browser across restarts, enabling continuous email exfiltration and password theft. The attack requires no user interaction beyond viewing the malicious email in Roundcube. Government agencies and organizations using Roundcube are particularly at risk, as similar vulnerabilities have been exploited by APT groups like Winter Vivern for cyber espionage (Sonar Blog).

The vulnerability has been patched in Roundcube versions 1.6.8 and 1.5.8. The fix removes the post-processing step that caused the vulnerability and moves the 'legacy attribute to style' conversion into the sanitization process. Administrators are strongly advised to update to these patched versions immediately. Users who suspect they are affected should change their email passwords and clear their browser's site data for the Roundcube site (Roundcube News, GitHub Release).

The security community has expressed significant concern about this vulnerability, particularly due to its potential impact on government agencies and its attractiveness to APT groups. The discovery has highlighted the ongoing security challenges in webmail systems and the importance of proper HTML sanitization. The vulnerability received immediate attention from security researchers and system administrators, especially given the history of similar vulnerabilities being exploited by state-sponsored threat actors (Help Net Security).