Cybersecurity experts report the discovery of two vulnerabilities in Zimbra, a webmail platform used by more than 200 thousand organizations worldwide. According to the report, the combined exploitation of these flaws would allow unauthenticated threat actors to take control of the affected servers.
Malicious hackers could trick the victim into opening a specially crafted email to gain unlimited access to information stored on servers, including all emails sent and received in the organization, as well as access to cloud environments linked to these deployments.
According to Simon Scannell, researcher at SonarSource, the first of these flaws was identified as CVE-2021-35208 and is a cross-site scripting (XSS) error that can be triggered in the context of the victim’s browser after opening a malicious email.
On the other hand, the second flaw was described as an evasion of the permit list that could lead to a server-side request spoofing (SSRF) exploit. This condition can be launched through an authenticated account belonging to any user regardless of their privilege level.
As mentioned at the outset, both flaws could combine to compromise an organization’s entire Zimbra webmail server: “The combined exploitation of these vulnerabilities could lead to a remote code execution (RCE) scenario, in addition to allowing the theft of access tokens and other sensitive information from the target system,” the report states.
Zimbra received the corresponding reports at the end of May, releasing the necessary updates a couple of days later. The company also announced some alternative measures to mitigate the risk of exploitation: “The SSRF flaw can be mitigated by disabling redirection in the HTTP handler, while the XSS attack is corrected by removing the code that transforms the form label completely.” A full report of the vulnerabilities addressed is available on Zimbra’s official platforms.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.