Security
Headlines
HeadlinesLatestCVEs

Headline

Act now! In-the-wild Zimbra vulnerability needs a workaround

Categories: Exploits and vulnerabilities Categories: News Tags: Zimbra

Tags: MalasLocker

Tags: vulnerability

Tags: Google

Tags: actively exploited

Tags: fn:escapeXml

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild.

(Read more…)

The post Act now! In-the-wild Zimbra vulnerability needs a workaround appeared first on Malwarebytes Labs.

Malwarebytes
#xss#vulnerability#web#google#backdoor#rce#zero_day

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

Zimbra is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software. Thousands of Zimbra mail servers were backdoored in a large scale attack exploiting that vulnerability.

In our June 2023 ransomware review we noted how the MalasLocker ransomware group had targeted vulnerabilities in Zimbra servers, including CVE-2022-24682, to enable remote code execution (RCE). This resulted in MalasLocker taking first place on the list of known attacks over the month of May 2023, displacing perennial top-spot holder LockBit.

Known ransomware attacks by gang, May 2023

Since Zimbra mentions no further details, it is hard to determine what the exact problem is. Although the proposed fix (down below under Mitigation) suggest that there may be a problem which can be exploited by utilizing specially crafted XML files. By using the fn:escapeXml() function, which escapes characters that can be interpreted as XML markup, users will manually add input sanitization.

Zimbra makes no mention of active exploitation, but Google researcher Maddie Stone tweeted about another researcher in the Google Threat Analysis Group noticing the vulnerability being used in-the-wild in a targeted attack.

.@_clem1 discovered this being used in-the-wild in a targeted attack. Thank you to @Zimbra for publishing this advisory and mitigation advice! If you run Zimbra Collaboration Suite, please go manually apply the fix! #itw0days https://t.co/lqwt0kOFWA

— Maddie Stone (@maddiestone) July 13, 2023

Earlier vulnerabilities in Zimbra allowed cybercriminals to steal emails in targeted attacks against organizations in the European government and media sectors.

Mitigation

The Zimbra security update suggests you apply the follow fix manually on all of your mailbox nodes:

  1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
  2. Then open to edit the active file and go to line number 40
  3. Change
    <input name="st" type="hidden" value="${param.st}"/>
    to
    <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can do it without any downtime.

We will keep you posted when a patch is made available and in case there are other developments around this bug.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

CVE-2023-29382: Security Center - Zimbra :: Tech Center

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

Ransomware review: June 2023

Categories: Ransomware Categories: Threat Intelligence May saw a record number of 556 reported ransomware victims, the unusual emergence of Italy and Russia as major targets, and a significant rise in attacks on the education sector. (Read more...) The post Ransomware review: June 2023 appeared first on Malwarebytes Labs.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The

Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.