Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

Multiple security flaws have been uncovered in the Zimbra email collaboration software, which could be abused to compromise email accounts by sending a malicious message or even take control of the mail server if it is housed on a cloud infrastructure. Researchers from code quality and security solutions company SonarSource found and reported the flaws in Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released with mitigations. 

“A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization,” said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. “As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.” 

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronising mail, calendar, and contacts with Microsoft Outlook, among other things. It’s utilised by more than 200,000 companies in 160 countries. 

The first flaw, discovered by Simon Scannell, could be exploited simply by opening a malicious email with a JavaScript payload. A cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim’s browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim’s emails as well as their webmail session. They also claimed that it would serve as a starting point for additional assaults: “With this, other features of Zimbra could be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organisation with any permitted role. If the two bugs are combined, a remote attacker will be able to obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials. 

“Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet,” the company noted in its advisory. “If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly.”