Zimbra has addressed two vulnerabilities in its webmail server that could allow threat actors to gain unrestricted access to employee’s email accounts. This could lead to attackers having access to confidential information and documents, email contacts, and information, and can be used to conduct phishing and other malicious email campaigns.
A. Nature of the Vulnerabilities
The following vulnerabilities were described as:
A server-side request forgery (SSRF) vulnerability was discovered in ProxyServlet.java in the /proxy servlet in Zimbra. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).
B. List of Vulnerable Systems
Vulnerable Zimbra Webmail Server includes:
- Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23
- Zimbra Collaboration Suite 9.x before 9.0.0 Patch 16. iPadOS
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Administrators are urged to test and apply the latest and stable version of Zimbra to mitigate from known security threats.
- Having a good backup of systems before patching is a good practice, in case there are anomalies and issues encountered.
- As of July 31, Zimbra will no longer be releasing subsequent patch releases for versions 8.8.0 and 9.0.0 of the operating system listed below, all of which have reached their end-of-life (EOL):
- Ubuntu 14.04
- CentOS and RHEL 6
- Oracle 6
- For additional information, kindly refer to the official Advisory of Zimbra (https://blog.zimbra.com/2020/10/new-zimbra-patches-9-0-0-patch-8-and-8-8-15-patch-15/)