Unpatched vulnerabilities are a gateway for hacker intrusions. They make cybercriminals’ jobs easy to break into targeted network systems. Cybersecurity experts from security firm SonarSource recently uncovered two critical vulnerabilities in Zimbra’s enterprise webmail solution that could allow an attacker to compromise and obtain persistent access to business email accounts. Zimbra is a popular open-source solution provider for enterprise mail services to global public and private organizations.
The vulnerabilities, tracked as CVE-2021-35208 and CVE-2021-35209, existed in Zimbra 8.8.15 version. “A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a targeted organization’s Zimbra webmail server. As a result, an attacker would gain unrestricted access to all sent and received emails of all employees,” Zimbra said.
Vulnerability 1
Tracked as CVE-2021-35208, this vulnerability is a Cross-Site Scripting (XSS) flaw that triggers in a victim browser via a malicious email with a specially crafted JavaScript payload. If exploited successfully, the flaw enables an attacker to obtain illicit access to the victims’ email accounts and their webmail sessions.
Vulnerability 2
Tracked as CVE-2021-35209, this is a Server-Side Request Forgery (SSRF) flaw that can be exploited by a remote attacker by combining it with the XSS vulnerability. The flaw allows unauthorized access to Zimbra’s HTTP client and pilfers private information like access tokens and credentials from Google Cloud and Amazon Web Services.
Both the vulnerabilities could be exploited by sending a single malicious email to the targeted user. Once the victim opens the malicious email, the JavaScript payload automatically deploys and infects the Zimbra web interface to exploit the second flaw in the backend.
Zimbra fixed both the flaws in its latest security update after SonarSource reported the issue. “Zimbra would like to alert its customers that they can introduce an SSRF security vulnerability in the Proxy Servlet. If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could access services running on a different port on the same server, which would normally not be exposed publicly. So, we urge our customers to review this configuration setting to ensure that there are no vulnerabilities are introduced,” Zimbra added.
Related Story:
