Cybersecurity scientists have uncovered multiple protection vulnerabilities in Zimbra e mail collaboration program that could be likely exploited to compromise email accounts by sending a malicious message and even realize a comprehensive takeover of the mail server when hosted on a cloud infrastructure.
The flaws — tracked as CVE-2021-35208 and CVE-2021-35208 — have been uncovered and described in Zimbra 8.8.15 by scientists from code excellent and stability answers service provider SonarSource in May possibly 2021. Mitigations have considering the fact that been released in Zimbra variations 8.8.15 Patch 23 and 9.. Patch 16.
- CVE-2021-35208 (CVSS score: 5.4) – Saved XSS Vulnerability in ZmMailMsgView.java
- CVE-2021-35209 (CVSS score: 6.1) – Proxy Servlet Open Redirect Vulnerability
“A combination of these vulnerabilities could allow an unauthenticated attacker to compromise a total Zimbra webmail server of a targeted group,” mentioned SonarSource vulnerability researcher, Simon Scannell, who discovered the protection weaknesses. “As a outcome, an attacker would get unrestricted entry to all despatched and been given email messages of all personnel.”
Zimbra is a cloud-primarily based electronic mail, calendar, and collaboration suite for enterprises and is available both of those as an open up-resource version and a commercially supported model with added features these as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, amongst other people. It really is employed by above 200,000 firms throughout 160 international locations.
“The downside of employing server-aspect sanitization is that all 3 purchasers may perhaps remodel the dependable HTML of an electronic mail later on to show it in their exclusive way,” Scannell mentioned. “Transformation of previously sanitized HTML inputs can lead to corruption of the HTML and then to XSS assaults.”
On the other hand, CVE-2021-35208 relates to a server side ask for forgery (SSRF) attack whereby an authenticated member of an group can chain the flaw with the aforementioned XSS problem to redirect the HTTP consumer utilized by Zimbra to an arbitrary URL and extract delicate data from the cloud, which includes Google Cloud API access tokens and IAM credentials from AWS, major to its compromise.
“Zimbra would like to notify its consumers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet,” the enterprise pointed out in its advisory. “If this servlet is configured to allow a specific area (by using zimbraProxyAllowedDomains configuration location), and that domain resolves to an inner IP deal with (these as 127…1), an attacker could quite possibly accessibility expert services operating on a various port on the exact same server, which would ordinarily not be uncovered publicly.”