New Bug Might Let Attackers Hijack Zimbra Server by Sending Malicious E mail


zimbra email server

Cybersecurity researchers have found a number of safety vulnerabilities in Zimbra e-mail collaboration software program that could possibly be doubtlessly exploited to compromise e-mail accounts by sending a malicious message and even obtain a full takeover of the mail server when hosted on a cloud infrastructure.

The issues — tracked as CVE-2021-35208 and CVE-2021-35208 — have been found and reported in Zimbra 8.8.15 by researchers from code high quality and safety options supplier SonarSource in Could 2021. Mitigations have since been released in Zimbra variations 8.8.15 Patch 23 and 9.0.0 Patch 16.

  • CVE-2021-35208 (CVSS rating: 5.4) – Saved XSS Vulnerability in ZmMailMsgView.java
  • CVE-2021-35209 (CVSS rating: 6.1) – Proxy Servlet Open Redirect Vulnerability

“A mixture of those vulnerabilities might allow an unauthenticated attacker to compromise an entire Zimbra webmail server of a focused group,” said SonarSource vulnerability researcher, Simon Scannell, who recognized the safety weaknesses. “In consequence, an attacker would acquire unrestricted entry to all despatched and acquired emails of all workers.”

Stack Overflow Teams

Zimbra is a cloud-based e-mail, calendar, and collaboration suite for enterprises and is obtainable each as an open-source model and a commercially supported model with further options resembling a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, amongst others. It is used by over 200,000 companies throughout 160 nations.

CVE-2021-35208 considerations a cross-site scripting (XSS) vulnerability within the Calendar Invite part that may be triggered in a sufferer’s browser upon viewing a specially-crafted e-mail message containing a JavaScript payload that, when executed, grants entry to the goal’s whole inbox in addition to the online shopper session, which may then be abused to launch additional assaults.

zimbra vulnerability

The issue stems from the truth that the Zimbra internet purchasers — an Ajax-based desktop shopper, a static HTML shopper, and a mobile-optimized shopper — carry out the sanitization of the HTML content material of incoming emails on the server-side and in a way that permits a nasty actor to inject rogue JavaScript code.

“The draw back of utilizing server-side sanitization is that every one three purchasers might rework the trusted HTML of an e-mail afterwards to show it of their distinctive method,” Scannell stated. “Transformation of already sanitized HTML inputs can result in corruption of the HTML after which to XSS assaults.”

Enterprise Password Management

Then again, CVE-2021-35208 pertains to a server aspect request forgery (SSRF) assault whereby an authenticated member of a corporation can chain the flaw with the aforementioned XSS subject to redirect the HTTP shopper utilized by Zimbra to an arbitrary URL and extract delicate data from the cloud, together with Google Cloud API entry tokens and IAM credentials from AWS, resulting in its compromise.

“Zimbra wish to alert its prospects that it’s potential for them to introduce an SSRF safety vulnerability within the Proxy Servlet,” the corporate noted in its advisory. “If this servlet is configured to permit a specific area (through zimbraProxyAllowedDomains configuration setting), and that area resolves to an inside IP handle (resembling 127.0.0.1), an attacker might probably entry companies working on a special port on the identical server, which might usually not be uncovered publicly.”





Source link