Several security flaws have been discovered in the Zimbra email collaboration software, which could allow attackers to hack email accounts by sending a specially crafted email and take over the mail server if it’s hosted on a cloud infrastructure.
Used by over 200,000 businesses, Zimbra is a popular cloud-based suite of email, calendar, and collaboration tools that enables businesses to manage and share their email and calendar content. It works seamlessly across various platforms such as Microsoft Outlook.
Two security flaws in Zimbra were discovered in Zimbra 8.8.15 by a security solutions provider SonarSource in May 2021. They were later fixed by Patch 23 and Patch 16. The flaws are tracked as:
- CVE-2021-35208 (CVSS score: 5.4) – Stored XSS Vulnerability in ZmMailMsgView.java
- CVE-2021-35209 (CVSS score: 6.1) – Proxy Servlet Open Redirect Vulnerability
“A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization,” said SonarSource vulnerability researcher, Simon Scannell, who found the security weaknesses. “As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.”
The CVE-2021-35208 vulnerability is caused by a cross-site scripting (XS) issue in the Calendar Invite component, which can be exploited to gain access to the target’s entire inbox and execute further attacks. The issue is that the three web clients of Zimbra sanitize the HTML content of incoming emails, as a result, rogue JavaScript code can be injected into the system.
According to Scannell, the downside of server-side sanitization is that it allows all three clients to modify the HTML of an email, which could result in HTML corruption and XSS attacks.
“The downside of using server-side sanitization is that all three clients may transform the trusted HTML of an email afterward to display it in their unique way,” Scannell said. “Transformation of already sanitized HTML inputs can lead to corruption of the HTML and then to XSS attacks.”
The second issue relates to a server-side request forgery (SSRF) attack where an authenticated user could chain it with the previous flaw to cause the HTTP client to redirect to an arbitrary web page, which could expose sensitive information from the cloud, including Google Cloud API access tokens and IAM credentials from AWS.
“Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet,” the company noted in its advisory. “If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly,” the company explained.