Zimbra webmail platform bugs gave access to mail servers

Two security bugs in Zimbra’s webmail could allow an adversary to access and control mail servers. Although the vulnerabilities have been addressed, they have potentially put thousands of businesses around the world at risk.

Zimbra bug-prone mail servers

SonarSource researchers discovered two different security bugs in the open source webmail platform Zimbra, exploiting what could expose email servers.

Zimbra is a dedicated software suite with a web client and an email server. Besides emails, it also supports chats, document sharing, video conferencing, and integration with other email clients like Mozilla Thunderbird, Apple Mail, and Microsoft Outlook.

Specifically, one of the bugs includes a stored XSS vulnerability (CVE-2021-35208) in the Calendar Invite component. This is a medium-severity bug with a severity score of 5.4.

Exploitation of this bug simply required an attacker to send a malicious email to the target user. Once the victim opens this email, a JavaScript payload is executed, giving the attacker access to all of the victim’s emails.

While the researchers identified the second vulnerability as an SSRF (CVE-2021-35209) allowing bypassing the whitelist. Although exploitation of this bug required the attacker to have authenticated access, the role of the attacker was not important. Thus, combining it with the first bug could allow access to cloud infrastructure and extract sensitive data.

In a real scenario, these bugs could easily trigger large-scale phishing attacks against businesses. Researchers shared technical details about the vulnerabilities in a blog post.

Patches deployed

After discovering these bugs, SonarSource contacted Zimbra, who then fixed them both.

According to vendor reviews, Zimbra has fixed the bugs with Zimbra 8.8.15 patch 23 and Zimbra 9.0.0 patch 16.

Considering the severity of the flaws if exploited, all users should update the respective versions to stay safe from potential attacks.

Let us know your thoughts in the comments.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *