Urgent Manual Fix Needed: Zimbra Collaboration Suite Under Attack Due to Actively Exploited Zero-Day Vulnerability

Zimbra, a widely adopted email and collaboration platform, urges administrators to manually address a zero-day vulnerability currently exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers. The venue, employed by over 200,000 businesses in 140 countries, including over 1,000 government and financial organizations, is at high risk due to this security flaw.

According to a company advisory issued on Thursday, the security vulnerability in Zimbra Collaboration Suite Version 8.8.15 could impact the confidentiality and integrity of users’ data. The bug, a reflected Cross-Site Scripting (XSS) vulnerability, was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group. As part of XSS attacks, threat actors could steal sensitive user information or execute malicious code on vulnerable systems.

How Do You Do Manual Patch for Zimbra?

 

Zimbra has yet to provide official security patches for the actively exploited zero-day but has provided a manual fix that admins can apply to remove the potential attack vector.

  • Take a backup of the file located at /opt/zimbra/jetty/webapps/zimbra/m/momoveto.
  • Open the file for editing and navigate to line number 40.
  • Update the value of the parameter to <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>.
  • Prior to the update, the line appeared as <input name=”st” type=”hidden” value=”${param.st}”/>.
  • The addition of the escapeXml() function will now sanitize the user-inputted data by escaping special characters used in XML markup, thereby preventing cross-site scripting (XSS) vulnerabilities.

The implementation of the escapeXml() function will sanitize user-inputted data by escaping special characters used in XML markup, thus preventing XSS attacks.

Admins should prioritize this fix, given Zimbra’s history of being targeted.

Notably, in June 2022, Zimbra auths bypass, and remote code execution bugs were exploited to breach over 1,000 servers. Later, in September 2022, unpatched RCE vulnerabilities in Zimbra Collaboration Suite were abused, compromising nearly 900 servers within two months. Most recently, the Winter Vivern Russian hacking group exploited another XSS bug in February 2023 to breach NATO-aligned governments’ webmail portals and steal email mailboxes from officials, governments, military personnel, and diplomats.

Share This: