DIVD-2022-00008 - XSS Zeroday in Zimbra

Our reference DIVD-2022-00008
Case lead Boaz Braaksma
Researcher(s)
CVE(s)
Product Zimbra
Versions Zimbra version 8.8.15 P30 (8.8.15.1642752384.p30-1) and all prior versions.
Recommendation Users of Zimbra version 8.8.15 need to re-apply the patch P30 (8.8.15.1643980846.p30-1) to obtain the fix for this vulnerability or should consider upgrading to version 9.0.0
Status Closed
Last modified 11 Oct 2022 21:53

Summary

On the third of February 2022, a new Zero-day XSS Vulnerability in Zimbra was published on the internet. Zimbra is an open source email platform that is used by a variety of organisations. Volexity detected on the 14th of December a campaign containing two attack phases. The first (reconnaissance) phase was used to track if a target received and opened the message(s). The second (delivery) phase was used to lure targets into clicking on a malicious link. For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser. By visiting the attacker’s link, can the session of the receiver be obtained, this gives the attacker access to the account of the victim.

What you can do

What we are doing

Timeline

Date Description
14 Dec 2021 Reconnaissance emails were sent to target addresses (source: Volexity)
16 Dec 2021 Malicious emails containing links to exploit URLs were sent to confirmed target addresses (soure: Volexity)
16 Dec 2021 Volexity notifies Zimbra and provides Proof of Concept (POC) (source: Volexity)
03 Feb 2022 First publication of this vulnerability
04 Feb 2022 Zimbra made hotfix available (source: Zimbra)
04 Feb 2022 DIVD opened case DIVD-2022-00008
05 Feb 2022 DIVD created fingerprint
05 Feb 2022 DIVD started scanning for vulnerable Zimbra email servers
06 Feb 2022 DIVD created a first list of vulnerable Zimbra email servers. 31132 vulnerable instances found
07 Feb 2022 First version of this case file.
07 Feb 2022 DIVD sent out a first batch of notifications.
08 Feb 2022 DIVD shared data about international systems to various GOV CERTs via NCSC-NL.
08 Feb 2022 DIVD shared data about the NL Space with the Dutch Digital Trust Center.
14 Feb 2022 DIVD sent out a second batch of notifications for 24379 vulnerable instances.
14 Mar 2022 Third scan with 22600 potential vulnerable hosts found. Fingerprint is no longer reliable, no mailrun done.
20 Apr 2022 Case closed
gantt title DIVD-2022-00008 - XSS Zeroday in Zimbra dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00008 - XSS Zeroday in Zimbra (127 days) :2021-12-14, 2022-04-20 section Events Reconnaissance emails were sent to target addresses (source: Volexity) : milestone, 2021-12-14, 0d Malicious emails containing links to exploit URLs were sent to confirmed target addresses (soure: Volexity) : milestone, 2021-12-16, 0d Volexity notifies Zimbra and provides Proof of Concept (POC) (source: Volexity) : milestone, 2021-12-16, 0d First publication of this vulnerability : milestone, 2022-02-03, 0d Zimbra made hotfix available (source: Zimbra) : milestone, 2022-02-04, 0d DIVD opened case DIVD-2022-00008 : milestone, 2022-02-04, 0d DIVD created fingerprint : milestone, 2022-02-05, 0d DIVD started scanning for vulnerable Zimbra email servers : milestone, 2022-02-05, 0d DIVD created a first list of vulnerable Zimbra email servers. 31132 vulnerable instances found : milestone, 2022-02-06, 0d First version of this case file. : milestone, 2022-02-07, 0d DIVD sent out a first batch of notifications. : milestone, 2022-02-07, 0d DIVD shared data about international systems to various GOV CERTs via NCSC-NL. : milestone, 2022-02-08, 0d DIVD shared data about the NL Space with the Dutch Digital Trust Center. : milestone, 2022-02-08, 0d DIVD sent out a second batch of notifications for 24379 vulnerable instances. : milestone, 2022-02-14, 0d Third scan with 22600 potential vulnerable hosts found. Fingerprint is no longer reliable, no mailrun done. : milestone, 2022-03-14, 0d Case closed : milestone, 2022-04-20, 0d

More information