CVE-2024-42010: 
Linux Debian vulnerability analysis and mitigation

The vulnerability CVE-2024-42010 affects Roundcube versions through 1.5.7 and 1.6.x through 1.6.7. It is a security flaw where the modcssstyles component insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. The vulnerability was discovered by Oskar Zeino-Mahmalat from Sonar and was patched in versions 1.6.8 and 1.5.8 released on August 4, 2024 (Roundcube News, Sonar Blog).

The vulnerability stems from Roundcube's CSS filtering mechanism which uses a regex-based blocklist filter on CSS text. The modcssstyles() function attempts to detect dangerous functions or rules, including url() or @import that can make connections to a remote server. The vulnerability exists because the filter operates on a stripped version of the CSS rather than the full CSS content. An attacker can bypass the filter by choosing a domain name that starts with 'a' to trick the check into seeing 'importa', which is allowed through the filter. After the blocklist check, the original unstripped CSS is used for rendering the email, allowing the attacker to import arbitrary unfiltered CSS to leak sensitive information (Sonar Blog).

The vulnerability allows attackers to leak sensitive information from the page through CSS-based attacks. When combined with other vulnerabilities (CVE-2024-42008 and CVE-2024-42009), it can be used as part of a larger attack chain to steal emails, contacts, and the victim's email password, as well as send emails from the victim's account (Sonar Blog).

The vulnerability has been fixed in Roundcube versions 1.6.8 and 1.5.8. The patch improves the CSS filter by actually searching for @import and no longer operating on stripped CSS. Administrators are strongly advised to update their Roundcube installations to these patched versions immediately. Users who suspect they are affected should change their email password and clear the site data of the Roundcube site they are using in their browser (Roundcube News, Sonar Blog).

Security researchers have expressed particular concern about this vulnerability due to its potential impact on government and institutional users of Roundcube. The discovery comes in the context of previous attacks by APT groups like Winter Vivern, who have targeted European government entities using similar vulnerabilities in Roundcube (Sonar Blog).