Zimbra server under possible attack because of a new bug

by | July 29, 2021 | Cybersecurity News

According to researchers, the Zimbra webmail server contains two weaknesses that might allow an attacker to paw through the inbox and outbox of all employees in all organizations that utilize the widely used collaboration application.

Given Zimbra’s popularity and the susceptible nature of the scads of messages it processes, SonarSource (a company that develops open-source software for continuous code quality and security) described the situation as “drastic.” Over 200.000 enterprises, a thousand government and financial institutions, and hundreds of millions of consumers use Zimbra’s email and collaboration capabilities to exchange emails every day, according to the company’s website.

According to the report, “When attackers get access to an employee’s email account, it often has drastic security implications. Besides the confidential information and documents exchanged, an email account is often linked to other sensitive accounts that allow a password reset. So think about it, what could an attacker do with your inbox?”

For one thing, they’d have full reign over accounts. Researchers from SonarSource identified two vulnerabilities in the open-source Zimbra code that may be linked together to provide attackers full access to Zimbra mail servers. All of their workers sent and received emails.

Malicious email could contain a JavaScript payload carefully crafted

The first weakness, discovered by Simon Scannell, a vulnerability researcher at SonarSource, could be exploited simply by opening a malicious email with a JavaScript payload. In addition, a cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim’s browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim’s emails and their webmail session.

They also claimed that it would serve as a ground zero point for additional attacks: “With this, other features of Zimbra could be accessed, and further attacks could be launched.”

The second problem is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organization with any permitted role.

If the two issues are combined, a remote attacker will obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials.

“A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization.” -Simon Scannel.

“A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization.” -Simon Scannel.

What is Zimbra?

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronizing mail, calendar, and contacts with Microsoft Outlook, among other things.

It’s utilized by more than 200,000 companies in 160 countries.

Misconfiguration of $80 million

That may sound familiar: the researchers cited a Capital One hack in 2019 that used a similar SSRF weakness. In particular, the attacker — a former AWS engineer – got away with the personal data of over 100 million people thanks to a cloud misconfiguration. The FBI caught him, but it was a costly SSRF blunder: Capital One was fined $80 million by federal bank authorities for failing to follow adequate cybersecurity protocols.

SonarSource explained that “SSRF vulnerabilities have become an increasingly dangerous bug class, especially for cloud-native applications.” However, the security company said it doesn’t know if the vulnerability affected Zimbra Cloud, a SaaS solution that uses AWS.

According to Scannell, the SSRF weakness allows an attacker to send HTTP requests to any host or port. He was quoted as adding: “Combined with protocol smuggling, this could lead to RCE. It could also enable an attacker to steal highly sensitive metadata, such as access tokens to the account that is associated with the instance that would have been exploited,” says the researcher.

As previously indicated, an attacker might obtain access tokens from cloud instances, such as Google Cloud API tokens or AWS IAM credentials.

The Zimbra team has addressed both concerns with Patch 18 for the 8.8.15 series and Patch 16 for the 9.0 series. However, prior versions of both branches, according to SonarSource, are still susceptible.

The problems were reported to Zimbra on May 20 and 22, and updates for the 8.8.15 and 9.0 series were published on June 28. According to Scannell, the vulnerabilities, both of which were evaluated as medium severity, might have had significant consequences: ”Both vulnerabilities work on the default configuration and are affecting the Zimbra core,” says the researcher.

Final words

Given the number of bullseyes that have been painted on Zimbra’s back, it’s a safe bet that attackers will try to exploit the flaws.

In April, a Zimbra bug, CVE-2019-9670 in Synacor Zimbra Collaboration Suite (XXE), was one of five flaws under a nation-state attack that triggered an NSA alert about an APT29 campaign set on obtaining credentials and more.

The Russia-linked APT29 attack group must have a soft spot for Zimbra: Before the April campaign, the cybergang targeted pharma research in Western countries in July 2020, most likely in an attempt to steal research for a COVID-19 vaccine. Exploits for known vulnerabilities, including one in Zimbra, were used in the takeover (CVE-2019-9670).



Photo by Taylor Vick on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.