Cybersecurity researchers of SonarSource have discovered multiple security vulnerabilities in Zimbra Email collaboration software that could be potentially exploited to compromise email accounts by sending a malicious email message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure.
The flaws which tracked as CVE-2021-35208 and CVE-2021-35208 were discovered and reported in Zimbra 8.8.15 by researchers from code quality and security solutions provider SonarSource in May 2021. Mitigations for these bugs have since been released in Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16.
- CVE-2021-35208 – Stored XSS Vulnerability in ZmMailMsgView.java
- CVE-2021-35209 – Proxy Servlet Open Redirect Vulnerability
“A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization,” said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. “As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.”
Zimbra is a cloud-based email, calendar, and collaboration suite for enterprises and is available both as an open-source version and a commercially supported version with additional features such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, among others. It’s used by over 200,000 businesses across 160 countries.
On the other hand, CVE-2021-35208 relates to a server side request forgery (SSRF) attack wherein an authenticated member of an organization can chain the flaw with the aforementioned XSS issue to redirect the HTTP client used by Zimbra to an arbitrary URL and extract sensitive information from the cloud, including Google Cloud API access tokens and IAM credentials from AWS, leading to its compromise.
“Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet,” the company noted in its advisory. “If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly.”
Ref: The Hacker News