[BreachExchange] Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

[Sophia Kingsbury]

https://www.ehackingnews.com/2021/07/bugs-in-zimbra-server-could-lead-to.html

Multiple security flaws have been uncovered in the Zimbra email
collaboration software, which could be abused to compromise email accounts
by sending a malicious message or even take control of the mail server if
it is housed on a cloud infrastructure. Researchers from code quality and
security solutions company SonarSource found and reported the flaws in
Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since
then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released
with mitigations.

"A combination of these vulnerabilities could enable an unauthenticated
attacker to compromise a complete Zimbra webmail server of a targeted
organization," said SonarSource vulnerability researcher, Simon Scannell,
who identified the security weaknesses. "As a result, an attacker would
gain unrestricted access to all sent and received emails of all employees."

Zimbra is a cloud-based email, calendar, and collaboration suite for
businesses that comes in both an open-source and commercially supported
version with extra capabilities like a proprietary connector API for
synchronising mail, calendar, and contacts with Microsoft Outlook, among
other things. It's utilised by more than 200,000 companies in 160
countries.

The first flaw, discovered by Simon Scannell, could be exploited simply by
opening a malicious email with a JavaScript payload. A cross-site scripting
(XSS) bug (CVE-2021-35208) would be triggered in a victim's browser if they
opened such a rigged email. According to SonarSource, when the payload is
performed, it gives an attacker access to the victim's emails as well as
their webmail session. They also claimed that it would serve as a starting
point for additional assaults: “With this, other features of Zimbra could
be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side
request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited
by an authenticated account belonging to a member of a targeted
organisation with any permitted role. If the two bugs are combined, a
remote attacker will be able to obtain valuable information from cloud
infrastructure instances, such as Google Cloud API Tokens or AWS IAM
credentials.

"Zimbra would like to alert its customers that it is possible for them to
introduce an SSRF security vulnerability in the Proxy Servlet," the company
noted in its advisory. "If this servlet is configured to allow a particular
domain (via zimbraProxyAllowedDomains configuration setting), and that
domain resolves to an internal IP address (such as 127.0.0.1), an attacker
could possibly access services running on a different port on the same
server, which would normally not be exposed publicly."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210729/daa4d5af/attachment.html>