Zimbra urges admins to manually fix zero-day exploited in attacks
Zimbra urged admins today to manually fix a zero-day vulnerability actively exploited to target and compromise Zimbra Collaboration Suite (ZCS) email servers.
This widely adopted email and collaboration platform is currently employed by over 200,000 businesses spanning 140 countries, including more than 1,000 government and financial organizations worldwide.
“A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced. [..] The fix is planned to be delivered in the July patch release,” the company warned on Thursday via an advisory that doesn’t inform customers the bug is also being abused in the wild.
The security flaw (currently lacking a CVE ID) is a reflected Cross-Site Scripting (XSS) discovered and reported by security researcher Clément Lecigne of Google Threat Analysis Group.
As part of XSS attacks, threat actors could steal sensitive user information or execute malicious code on vulnerable systems.
While Zimbra did not disclose that the flaw was used in attacks, Google TAG’s Maddie Stone revealed today that the XSS vulnerability was discovered while being exploited in a targeted attack.
While Zimbra has not yet provided security patches to address this actively exploited zero-day, it did provide a fix that admins can apply manually to remove the attack vector.
“To maintain the highest level of security, we kindly request your cooperation to apply the fix manually on all of your mailbox nodes,” the company said.
The procedure needed to mitigate the vulnerability across all mailbox nodes manually requires admins to go through the following steps:
- Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
- Edit this file and go to line number 40
- Update the parameter value to <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>
- Before the update, the line appeared as <input name=”st” type=”hidden” value=”${param.st}”/>
The inclusion of the escapeXml() function will now sanitize the user-inputted data by escaping special characters used in XML markup to prevent XSS flaws.
The fix can be applied without downtime because a Zimbra service restart is not required to apply the mitigation.
Zimbra servers under attack
Admins should prioritize mitigating this zero-day, given that multiple Zimbra bugs have been explored in the wild to breach hundreds of vulnerable email servers worldwide in recent years.
For instance, as early as June 2022, Zimbra auth bypass and remote code execution bugs were exploited to breach over 1,000 servers.
Starting in September 2022, hackers began abusing an unpatched RCE vulnerability in Zimbra Collaboration Suite, compromising almost 900 vulnerable servers within two months.
The Winter Vivern Russian hacking group also used exploits targeting another reflected XSS bug since February 2023 to breach NATO-aligned governments‘ webmail portals and steal email mailboxes belonging to officials, governments, military personnel, and diplomats.
A spokesperson for Synacor (Zimbra’s parent company) was not immediately available for comment when contacted by BleepingComputer earlier today.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.