Zimbra is urging its customers to manually apply fixes for a recently discovered zero-day vulnerability. This vulnerability, which does not yet have a CVE identifier, is actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers.
Zimbra Collaboration Suite is a widely used open-source email and collaboration platform with a user base of 200,000 businesses across 140 countries.
Critical Zero-Day Vulnerability in Zimbra Collaboration Suite Raises Data Security Concerns
According to Zimbra’s advisory, the zero-day vulnerability impacts Zimbra Collaboration Suite version 8.8.15 and poses potential risks to the confidentiality and integrity of organizations’ data. While Zimbra planned to roll out the fix in the July patch release, the advisory fails to mention that threat actors currently exploit the vulnerability in real-world attacks.
What Is the Zero-Day Vulnerability in Zimbra Collaboration Suite (ZCS)?
Clément Lecigne, a security researcher from Google Threat Analysis Group (TAG), discovered and reported this vulnerability as a reflected Cross-Site Scripting (XSS) issue. In XSS attacks, malicious actors can steal sensitive user information or execute malicious code on vulnerable systems.
Although Zimbra has not disclosed any information regarding the exploitation of this vulnerability, Maddie Stone from Google TAG revealed that they discovered the vulnerability while it was being actively exploited in the wild.
Manual Mitigation Steps for Zimbra’s Zero-Day Vulnerability
Zimbra has provided a fix that administrators can manually apply to eliminate the attack vector until the patch is released. “To ensure the highest level of security, we kindly request your cooperation in manually applying the fix to all of your mailbox nodes,” stated the company.
To mitigate the vulnerability manually, administrators need to follow these steps:
- Create a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto.
- Edit the file and navigate to line number 40.
- Update the parameter value to:
<input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/> - Prior to the update, the line appeared as:
<input name=”st” type=”hidden” value=”${param.st}”/>
By including the escapeXml() function, user-inputted data is now sanitized by escaping special characters used in XML markup to prevent XSS vulnerabilities.
The fix can be implemented without causing any downtime since a Zimbra service restart is not required.
Recent Zimbra Breaches
Given that numerous Zimbra vulnerabilities have been exploited to breach vulnerable email servers worldwide in recent years, administrators should prioritize mitigating this zero-day vulnerability.
For example, in June 2022, Zimbra’s authentication bypass and remote code execution vulnerabilities were exploited to compromise over 1,000 servers.
Since February 2023, the Winter Vivern Russian hacking group has been using exploits targeting another reflected XSS bug to breach webmail portals belonging to NATO-aligned governments. They have been stealing email mailboxes of officials, governments, military personnel, and diplomats.
Also, starting in September 2022, hackers exploited an unpatched remote code execution vulnerability, CVE-2022-41352, in Zimbra Collaboration Suite, compromising nearly 900 vulnerable servers within two months.
Strengthen Your Security with SOCRadar’s Attack Surface Management and Vulnerability Intelligence
In the realm of security research, the discovery of vulnerabilities plays a crucial role in safeguarding applications and data. SOCRadar’s Extended Attack Surface Management (ASM) actively identifies vulnerabilities across your organization’s digital assets and promptly alerts you, empowering you to take swift action in response. You can see security alerts in the platform’s Company Vulnerabilities tab.
Moreover, SOCRadar’s Vulnerability Intelligence provides in-depth information on vulnerabilities, ensuring you stay informed about the latest exploitation trends. By gaining visibility into your company’s vulnerabilities, you can prioritize patches, effectively bolstering your organization’s overall security posture.
Sign up now for a free edition of the SOCRadar platform to gain more knowledge and stay up to date on the newest vulnerabilities.
