Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
    Dublin
  • County:
    Dublin
  • Country:
    Ireland
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

New Bug Could Let Attackers Hijack Zimbra Server by Sending Malicious Email

July 27, 2021
zimbra email server

Cybersecurity researchers have found a number of safety vulnerabilities in Zimbra electronic mail collaboration software program that might be doubtlessly exploited to compromise electronic mail accounts by sending a malicious message and even obtain a full takeover of the mail server when hosted on a cloud infrastructure.

The failings — tracked as CVE-2021-35208 and CVE-2021-35208 — had been found and reported in Zimbra 8.8.15 by researchers from code high quality and safety options supplier SonarSource in Could 2021. Mitigations have since been released in Zimbra variations 8.8.15 Patch 23 and 9.0.0 Patch 16.

  • CVE-2021-35208 (CVSS rating: 5.4) – Saved XSS Vulnerability in ZmMailMsgView.java
  • CVE-2021-35209 (CVSS rating: 6.1) – Proxy Servlet Open Redirect Vulnerability

“A mixture of those vulnerabilities might allow an unauthenticated attacker to compromise a whole Zimbra webmail server of a focused group,” said SonarSource vulnerability researcher, Simon Scannell, who recognized the safety weaknesses. “In consequence, an attacker would achieve unrestricted entry to all despatched and acquired emails of all workers.”

Stack Overflow Teams

Zimbra is a cloud-based electronic mail, calendar, and collaboration suite for enterprises and is obtainable each as an open-source model and a commercially supported model with further options reminiscent of a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, amongst others. It is used by over 200,000 companies throughout 160 international locations.

CVE-2021-35208 issues a cross-site scripting (XSS) vulnerability within the Calendar Invite element that may be triggered in a sufferer’s browser upon viewing a specially-crafted electronic mail message containing a JavaScript payload that, when executed, grants entry to the goal’s total inbox in addition to the net shopper session, which may then be abused to launch additional assaults.

zimbra vulnerability

The issue stems from the truth that the Zimbra internet shoppers — an Ajax-based desktop shopper, a static HTML shopper, and a mobile-optimized shopper — carry out the sanitization of the HTML content material of incoming emails on the server-side and in a fashion that allows a nasty actor to inject rogue JavaScript code.

“The draw back of utilizing server-side sanitization is that each one three shoppers might remodel the trusted HTML of an electronic mail afterwards to show it of their distinctive means,” Scannell mentioned. “Transformation of already sanitized HTML inputs can result in corruption of the HTML after which to XSS assaults.”

Enterprise Password Management

Alternatively, CVE-2021-35208 pertains to a server aspect request forgery (SSRF) assault whereby an authenticated member of a corporation can chain the flaw with the aforementioned XSS situation to redirect the HTTP shopper utilized by Zimbra to an arbitrary URL and extract delicate info from the cloud, together with Google Cloud API entry tokens and IAM credentials from AWS, resulting in its compromise.

“Zimbra wish to alert its prospects that it’s doable for them to introduce an SSRF safety vulnerability within the Proxy Servlet,” the corporate noted in its advisory. “If this servlet is configured to permit a specific area (through zimbraProxyAllowedDomains configuration setting), and that area resolves to an inside IP deal with (reminiscent of 127.0.0.1), an attacker might probably entry providers working on a unique port on the identical server, which might usually not be uncovered publicly.”

Posted in SecurityTags:
Write a comment