FreeScout Email Processing HMAC Verification Vulnerability Allows Agent Impersonation

A vulnerability in FreeScout prior to version 1.8.220 allows for agent impersonation by exploiting a lack of HMAC verification in the email processing pipeline. The FetchEmails command has two paths for handling replies, but only the customer reply path includes proper HMAC validation. An external attacker who can spoof the From address of a helpdesk agent can inject messages that are processed as legitimate replies from that agent. These forged replies are then automatically forwarded to customers via the helpdesk's SMTP server, making the phishing attempt difficult to detect.

Impact

Exploitation of this vulnerability allows for agent impersonation, with forged replies sent to customers from the helpdesk's own SMTP server, bypassing email authentication checks. This not only deceives the customer into believing they are communicating with a real agent but also exploits the trust established in the email thread, increasing the likelihood of a successful phishing attempt. Additionally, the impersonation leaves no audit trail, as the forged reply is attributed to the real agent, who remains unaware of the incident.

Reproduction

To reproduce this vulnerability, an email must be sent to a FreeScout mailbox with a spoofed From address that appears to be from a helpdesk agent. The email should include an In-Reply-To header that references a notification reply Message-ID. Once the email is received, FreeScout's FetchEmails command will process it. The lack of HMAC verification in the notification reply path will allow the injection of the message as if it were a legitimate agent reply. After processing, the forged content will be sent to the customer via the helpdesk's SMTP server, completing the impersonation.

Remediation

Users can update FreeScout to version 1.8.220 or later, where this vulnerability has been fixed.