Recently discovered Zimbra vulnerabilities may have compromised 200,000 companies

by | Aug 2, 2021 | Pen Test Technical Tips

Zimbra, an open-source collaborative office suite, consisting of webmail, web document creation and management, calendar, and address book built for the cloud. More than 200,000 companies and over 1,000 governments and financial institutions use Zimbra’s messaging service, which works by connecting the information and activities of end users to the private cloud, and every day, millions of people use it to exchange emails.

Two open-source code vulnerabilities recently discovered by security experts at SonarSource may allow attackers to compromise company webmail servers that are using Zimbra. A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a targeted organization’s Zimbra webmail server. As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.

Vulnerabilities Overview:

  • CVE-2021-35208 (CVSS score: 5.4)- DOM-based Stored Cross-Site-Scripting (XSS)
  • CVE-2021-35209 (CVSS score: 6.1)- Server-Side Request Forgery (SSRF)

A cross-site scripting vulnerability (CVE-2021-35208) will be triggered when a user accesses emails from Zimbra. The email containing the malware will have a sophisticated JavaScript Payload. Upon execution of the payload, an attacker will have complete access to all of the victim’s email inbox and outbox (with the exception of their webmail session information), along with full access to other functions of the Zimbra suite, enabling a variety of additional attacks.

A server-side request forgery vulnerability (CVE-2021-35209) leads to a possible and powerful server-side request forgery by bypassing the allowed list of access control. According to the researchers, this vulnerability can be used to exploit the server using any authenticated user, regardless of their privileges.

In the event of either of these situations, the attackers would be allowed to install malicious JavaScript code via the Zimbra web client based on Ajax, static HTML and mobile optimization, and then be able to execute the removal of the HTML content in the mail received by the server.

SSRF vulnerabilities can be extremely damaging

Cloud-native applications are at especially high risk from the SSRF vulnerability category. This is mainly because they enable an attacker to set arbitrary headers in the outgoing request, and also because it allows the attacker to read the response.

For example, if the server is hosted in the Google Cloud Platform, an API access token could be leaked by forging a request to:

https://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Mitigation

SSRF attacks like the one described above can be mitigated by disallowing the HTTP request handler to follow redirects. It makes sense to validate the value of the Location header of the response and create a new request after it has been validated. This would also protect against Open Redirect vulnerabilities.

The XSS attack described above has been fixed by removing the code that transformed the form tag altogether.

Download and install the following recommended patches

  • Patch 18 of the 8.8.15 series
  • Patch 16 of the 9.0 series

There were some issues with previous versions of these patches that have since been repaired.

In Conclusion

While virtual collaborative office software has evolved to keep up with the increasingly virtualized office environment, these vulnerabilities demonstrate the need for constant vigilance in software supply chain security. Zimbra has done an exemplary job of expediting the development and release of the patches once the vulnerabilities were discovered, but this situation still serves as a reminder that in addition to software vendors enhancing security related processes in the software development phase, it is also crucial for businesses to remind employees to be wary of suspicious emails and train them to spot malware, and what actions to take when they receive unsolicited attachments. The software alone cannot be expected to defend against the constant onslaught of ever-evolving attack methods.