Act now! In-the-wild Zimbra vulnerability needs a workaround

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

Zimbra is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software. Thousands of Zimbra mail servers were backdoored in a large scale attack exploiting that vulnerability.

In our June 2023 ransomware review we noted how the MalasLocker ransomware group had targeted vulnerabilities in Zimbra servers, including CVE-2022-24682, to enable remote code execution (RCE). This resulted in MalasLocker taking first place on the list of known attacks over the month of May 2023, displacing perennial top-spot holder LockBit.

Known ransomware attacks by gang, May 2023

Since Zimbra mentions no further details, it is hard to determine what the exact problem is. Although the proposed fix (down below under Mitigation) suggest that there may be a problem which can be exploited by utilizing specially crafted XML files. By using the fn:escapeXml() function, which escapes characters that can be interpreted as XML markup, users will manually add input sanitization.

Zimbra makes no mention of active exploitation, but Google researcher Maddie Stone tweeted about another researcher in the Google Threat Analysis Group noticing the vulnerability being used in-the-wild in a targeted attack.

.@_clem1 discovered this being used in-the-wild in a targeted attack. Thank you to @Zimbra for publishing this advisory and mitigation advice! If you run Zimbra Collaboration Suite, please go manually apply the fix! #itw0days https://t.co/lqwt0kOFWA

— Maddie Stone (@maddiestone) July 13, 2023

Earlier vulnerabilities in Zimbra allowed cybercriminals to steal emails in targeted attacks against organizations in the European government and media sectors.

Mitigation

The Zimbra security update suggests you apply the follow fix manually on all of your mailbox nodes:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Then open to edit the active file and go to line number 40
3. Change
   <input name="st" type="hidden" value="${param.st}"/>
   to
   <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can do it without any downtime.

We will keep you posted when a patch is made available and in case there are other developments around this bug.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.