Zimbra, an open source webmail platform used by more than 200,000 enterprises, contained a pair of vulnerabilities that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.
If victims opened a malicious email, attackers could gain unrestricted access to all emails sent and received by employees, potentially compromising the full mail server when run in a cloud environment.
XSS to SSRF
Discovered by Simon Scannell, a vulnerability researcher at SonarSource, the first vulnerability was a cross-site scripting (XSS) bug – CVE-2021-35208 – that could be triggered in a victim’s browser when they simply viewed an incoming email.
When executed, a crafted JavaScript payload gave the attacker access to all the victim’s emails, as well as their webmail session, and allowed other Zimbra features to be accessed and further attacks to be launched.
The second vulnerability involved a bypass of an allowlist that leads to a powerful server-side request forgery (SSRF) exploit that can be launched via an authenticated account belonging to a member of the target organization with any permission role.
This means that it could be combined with the first vulnerability to compromise the complete Zimbra webmail server of a victim organization.
“The second vulnerability allows an attacker to send HTTP requests to arbitrary hosts or ports,” Scannell tells The Daily Swig.
“Combined with protocol smuggling, this could lead to RCE. It could also enable an attacker to steal highly sensitive metadata, such as access tokens to the account that is associated with the instance that would have been exploited.”
These could include Google Cloud API tokens or AWS IAM credentials from instances within the cloud infrastructure.
Coordinated disclosure
The vulnerabilities, both rated as medium severity, could have had serious effects, says Scannell.
“Both vulnerabilities work on default configuration and are affecting the Zimbra core,” he says. “The website of Zimbra states that their solution is used by over 200,000 businesses that could have been targeted with these vulnerabilities.”
The issues were reported to the Zimbra team on May 20 and 22, with patches released on 28 June for the 8.8.15 and 9.0 series.
The SSRF attack can be mitigated by disallowing the HTTP request handler to follow redirects, while the XSS attack has been fixed by removing the code that transformed the form tag altogether.
As Scannell points out, a similar SSRF vulnerability was exploited in 2019 to breach assets of US bank Capital One – leading to an $80 million penalty for the company.
“SSRF vulnerabilities have always been dangerous, but it has only become clear in recent years how dangerous they can be,” he says.
“In cloud native applications, an SSRF vulnerability can be used by attackers as an entry to the cloud infrastructure’s internal network. This can lead to the disclosure of highly sensitive information such as access keys to cloud hosting accounts associated with the targeted instance.”
Full technical details can be found on the SonarSource blog.
Source: https://portswigger.net/daily-swig/chained-zimbra-flaws-gave-attackers-unrestricted-access-to-mail-servers