SonarSource cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra - email collaboration software used by global enterprises - that could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure.

The first vulnerability is a Cross-Site Scripting bug (CVE-2021-35208) that can be triggered in a victim’s browser when viewing an incoming email. The malicious email would contain a crafted JavaScript payload that, when executed, would provide an attacker with access to all emails of the victim, as well as to their webmail session. With this, other features of Zimbra could be accessed and further attacks could be launched. 

The second vulnerability is an interesting bypass of an allow-list that leads to a powerful Server-Side Request Forgery (SSRF) vulnerability (CVE-2021-35209). It can be exploited by an authenticated member of an organization with any permission role, which means that it can be combined with the first vulnerability. A remote attacker is then able to extract, for example, Google Cloud API Tokens or AWS IAM credentials from instances within the cloud infrastructure.

According to Jonathan Chua, Application Security Consultant at nVisium, a Falls Church, Va.-based application security provider, "an SSRF vulnerability allows an attacker to coerce an application server into performing network requests on the attacker's behalf. This vulnerability may allow attackers to perform malicious network requests under the context of the application server. Application servers often have access to internal network services such as databases, admin panels, and other internal services that normal application users don't have access to."

Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security, says, "XSS vulnerabilities are unfortunately pretty common due to the large variety of front-end client types for web and mobile, as well as user device types with varying operating systems. Attackers will frequently exploit XSS vulnerabilities to obtain authenticated sessions. The ways that clients sanitize input can vary, which is why it's often recommended to sanitize data in the back-end. The Zimbra developers seemed to follow security best practice here, sanitizing user submitted data in the back-end with a well-vetted OWASP sanitizer library. Unfortunately, one of the Zimbra front-ends transformed the sanitized content in an unsafe way, which led to the XSS issue."

Isbitski explains that SSRF vulnerabilities have been gaining in popularity by attackers because of the extent of damage that can be done in back-end services. He says, "By exploiting an SSRF vulnerability in a back-end service, it's possible to leverage that vulnerable back-end service as a trusted connection to other back-end services and data. We saw this in the case of Capital One in 2019, where an attacker was able to bypass web filtering controls and submit commands to back-end services hosted in AWS. The web filtering mechanism was a trusted resource within Capital One's AWS private cloud segment."

In 2019, assets of Capital One were breached utilizing a similar SSRF vulnerability. Capital One was required to pay $80 million as a penalty. Security researchers have no information whether Zimbra Cloud, a SaaS solution using AWS, was affected by this vulnerability. All issues were fixed by the Zimbra team with Patch 18 for the 8.8.15 series and Patch 16 for the 9.0 series. Prior versions of both branches are vulnerable.

"Cloud service providers make use of these metadata API services since they help facilitate much of automation and elasticity, enabling organizations to spin up infrastructure on demand," Isbitski says. "Attackers know this aspect of cloud infrastructure and the presence of metadata APIs, and they seek SSRF vulnerabilities in order to form complex attack chains that often fly under the radar of traditional security controls. The researchers outlined how the Zimbra XSS and CSRF vulnerabilities could be chained fairly easily, which should raise priority for organizations running Zimbra as their webmail solution. These vulnerabilities are another example of the impacts of digital supply chains. The applications and APIs you procure may have latent weaknesses and vulnerabilities that your organization inherits the moment you deploy."