Patches released for latest builds, but older versions are still vulnerable
All versions of Zimbra are said to have been impacted, but the issue has now been fixed in 8.7.11 and 8.8x, the latest versions.
Researcher An Trinh (who goes by the Twitter handle @_tint0) said that Zimbra’s reliance of Extensible Markup Language (XML) for encoding its operations laid the path for multiple vulnerabilities – CVE-2016-9924, CVE-2018-20160, and CVE-2019-9670.
These are all XML external entity injection (XXE) vulnerabilities, which arise when applications process user-supplied XML documents without disabling references to external resources.
XML parsing often supports the use of external entities in order to check the validity of the data file through certain network protocols. An attacker can exploit this process in multiple ways, if any of part of its implementation is insecure.
“For more recent versions, CVE-2019-9670 works flawlessly where the XXE lies in the handling of Autodiscover requests,” Trinh said in a blog post published this week, explaining how the exploit could be leveraged on Zimbra versions 8.5 to 8.7.11.
“And for the sake of completeness, CVE-2018-20160 is an XXE in the handling of XMPP protocol and an additional bug along CVE-2019-9670 is a prevention bypass in the sanitizing of XHTML documents which also leads to XXE, however they both require some additional conditions to trigger,” Trinh said. “These all allow direct file extraction through response.”
Vulnerabilities like these can allow for privilege escalation and, in some cases, RCE, Trinh explained. Due to Zimbra’s token-based authentication method, an attacker needs access to the default admin port 7071, he said.
To complete the exploit chain an attacker makes use of another vulnerability – CVE-2019-9621 – for a work around to the admin port’s whitelist through ProxyServlet.doProxy().
“In short, if we send a request with 'foo:7071' Host header and a valid token in cookie, we can proxy a request to arbitrary targets that is otherwise only accessible to admins.”
A valid token is generated through a ‘hidden’ feature in Zimbra which can then provide access to the admin port, and the final requirement of the exploit chain attack to gain full control.
“The flow is to read the config file via XXE, generate a low-priv token through a normal AuthRequest, proxy an admin AuthRequest to the local admin port via ProxyServlet and finally, use the global admin token to upload a webshell via the ClientUploader extension,” Trinh said.
RCE via Memcached
RCE can also occur in Zimbra through an escalation of a Memcached injection vulnerability – as long as the email suite is using Memcached as its caching mechanism.
“The deserialization process happens at ImapMemcachedSerializer.deserialize() and triggers on ImapHandler.doSELECT() i.e. when a user invoking an IMAP SELECT command,” said Trinh.
“The IMAP port in most cases is publicly accessible, so we can safely assume the trigger of this exploit.”
Older versions of Zimbra are still impacted by all bugs, and users are advised to update.
The Daily Swig has reached out to Zimbra for comment.