Researchers have found numerous security flaws in Zimbra email collaboration software, the exploitation of which may lead to email account compromise and even a full hijacking of the mail server. The news about the flaws came after cybersecurity experts carefully examined the software.
Zimbra is a cloud-based email, calendar, and collaboration suite designed for corporate use, with extra capabilities such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook. The software has both, a commercial and an open source version, and is utilized worldwide in over 160 countries.
In May 2021, researchers from SonarSource, a code quality and security solutions company, found and reported two separate vulnerabilities in Zimbra 8.8.15 — CVE-2021-35208 and CVE-2021-35208. Patches for them have been released with Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16.
However, a deeper research on the flaws has shown that if a malicious actor decides to exploit them, he can get access to a targeted organization’s whole Zimbra webmail server. As a consequence, an attacker would have full access to all emails that have been sent and received by the organization’s workers.
CVE-2021-35209 is a vulnerability that еxists on the server-side request forgery (SSRF). An authenticated member of an organization can exploit this flaw to redirect Zimbra’s HTTP client and obtain sensitive information, including Google Cloud API access tokens and AWS IAM credentials.
More details and security guidelines about the flaws are available in the official Zimbra’s advisory.