Zimbra, an open-source collaborative office suite, consisting of webmail, web document creation and management, calendar, and address book built for the cloud. More than 200,000 companies and over 1,000 governments and financial institutions use Zimbra’s messaging service, which works by connecting the information and activities of end users to the private cloud, and every day, millions of people use it to exchange emails.
Two open-source code vulnerabilities recently discovered by security experts at SonarSource may allow attackers to compromise company webmail servers that are using Zimbra. A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a targeted organization’s Zimbra webmail server. As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.
- CVE-2021-35208 (CVSS score: 5.4)- DOM-based Stored Cross-Site-Scripting (XSS)
- CVE-2021-35209 (CVSS score: 6.1)- Server-Side Request Forgery (SSRF)
A server-side request forgery vulnerability (CVE-2021-35209) leads to a possible and powerful server-side request forgery by bypassing the allowed list of access control. According to the researchers, this vulnerability can be used to exploit the server using any authenticated user, regardless of their privileges.
SSRF vulnerabilities can be extremely damaging
Cloud-native applications are at especially high risk from the SSRF vulnerability category. This is mainly because they enable an attacker to set arbitrary headers in the outgoing request, and also because it allows the attacker to read the response.
For example, if the server is hosted in the Google Cloud Platform, an API access token could be leaked by forging a request to:
SSRF attacks like the one described above can be mitigated by disallowing the HTTP request handler to follow redirects. It makes sense to validate the value of the Location header of the response and create a new request after it has been validated. This would also protect against Open Redirect vulnerabilities.
The XSS attack described above has been fixed by removing the code that transformed the form tag altogether.
Download and install the following recommended patches
- Patch 18 of the 8.8.15 series
- Patch 16 of the 9.0 series
There were some issues with previous versions of these patches that have since been repaired.
While virtual collaborative office software has evolved to keep up with the increasingly virtualized office environment, these vulnerabilities demonstrate the need for constant vigilance in software supply chain security. Zimbra has done an exemplary job of expediting the development and release of the patches once the vulnerabilities were discovered, but this situation still serves as a reminder that in addition to software vendors enhancing security related processes in the software development phase, it is also crucial for businesses to remind employees to be wary of suspicious emails and train them to spot malware, and what actions to take when they receive unsolicited attachments. The software alone cannot be expected to defend against the constant onslaught of ever-evolving attack methods.