Security researchers have issued alerts on a Zimbra vulnerability, a zero-day cross-site scripting (XSS) bug.
Zimbra, a widely used collaboration product, has issued a warning to its customers, urging them to apply a software patch without delay.
The company has identified a security hole that could potentially compromise the confidentiality and integrity of user data.
Zimbra is a collaborative software suite that includes an email server and a web client.
“The issue has been fixed. We have also performed rigorous testing to ensure the effectiveness and stability of the system. The fix is planned to be delivered in the July patch release,” said the company.
According to the company, the onus of patching is on the users.
“Take cation. Apply fix manually,” said the alert. “We understand that you may want to take action sooner rather than later to protect your data.”
This is the second zero-day Zimbra vulnerability that came up in cybersecurity news this year.
Researchers in February disclosed a Zimbra vulnerability in its email platform, with evidence of a campaign that was exploiting it.
Cybersecurity experts from Volexity, namely Steven Adair and Thomas Lancaster, revealed that a threat group, known as TEMP_Heretic, was actively exploiting the vulnerability through targeted spear phishing attacks.
It was initially detected in December 2021 and is believed to be orchestrated by Chinese cybercriminals.
Zimbra vulnerability: A zero-day bug
According to the company, the Zimbra vulnerability affects the Collaboration Suite Version 8.8.15 and could potentially impact the confidentiality and integrity of customer data.
This Zimbra vulnerability is a cross-site scripting (XSS) bug, which operates by exploiting the trust between different websites.
Cross-site scripting (XSS) involves transferring untrusted scripts from one site to the trusted content of another site, all without directly compromising the target site’s HTML files or JavaScript code.
“Performing an innocent-looking operation via site X, such as clicking through to site Y, gives the operator of site X a sneaky chance to implant rogue JavaScript code into the web pages that your browser receives back from Y,” said an advisory by Sophos.
“This, in turn, means that X may end up with access to your account on site Y, by reading out and perhaps even modifying data that would otherwise be private to Y, such as your account details, login cookies, authentication tokens, transaction history, and so on.”
Although Zimbra has patched the bug in its code, the updated version has not yet been published.
However, the urgency of the situation is emphasized by the fact that the bug was discovered during an actual cyberattack by a Google security researcher.
This classifies the vulnerability as a zero-day exploit, meaning it was discovered by malicious actors before being disclosed publicly.
To address the issue promptly, Zimbra has advised its customers to manually apply the fix, which involves a single-line edit to a specific data file in the product’s installation directory.
The official security alert by the company emphasized the importance of taking immediate action to protect user data.
Technical details of the Zimbra vulnerability
XSS attacks exploit servers by including externally submitted data in web pages without proper validation.
Although this might initially seem unlikely, it is a common practice when websites need to confirm entered data or display search results.
For instance, when searching for a product like the “Holy Grail” on a shopping site, the URL would contain a query like “https://example.com/search/?product=Holy%20Grail” (where %20 represents a space).
Upon receiving the search results, it is expected that the website would display the searched term in a user-friendly manner.
However, if the server mishandles special characters, such as the less-than sign (<) and greater-than sign (>), unexpected results can occur.
These characters have special meanings in HTML and can be used to execute commands. For instance, the HTML tag <br> represents a line break. Failing to handle such tags correctly can lead to the execution of arbitrary JavaScript code.
Exploiting an XSS vulnerability allows attackers to manipulate web pages and execute malicious actions.
By injecting JavaScript code, they can retrieve or modify sensitive data, send unauthorized messages, authorize actions on the victim’s behalf, and even acquire authentication cookies to gain prolonged access to the compromised account.
To mitigate the Zimbra vulnerability, customers are instructed to modify a specific item in a built-in web form within the product’s directory.
The recommended change ensures that any characters prone to XSS attacks are properly encoded using escape sequences, such as < for <, > for >, and & for &.
According to the Sophos advisory, the process may not be overly complex for organizations managing their own Zimbra instances or outsourcing their administration.
However, it is crucial to apply the fix to all mailbox nodes to ensure comprehensive protection against the vulnerability, it added.
