[Users] Zimbra 8.8.15 Zero-Day Exploit

Randy Leiker randy at skywaynetworks.com
Fri Feb 4 22:24:23 CET 2022 

Hi Everyone, 

To add to Barry's post, a zero-day exploit for Zimbra was publicly disclosed within the last 24 hours. In brief, it appears to affect all patch levels of 8.8.15, including the most recent patch 30. The exploit targets the calendar in the Standard (HTML) web client that was mostly removed in Zimbra 9, which is why Zimbra 9 is not believed to be vulnerable. 

For the exploit to work all of the following must be true: 


    1. A Zimbra user must click a URL in a phishing email. 
    2. The Zimbra user must be logged into the Classic Zimbra Web Client (Advanced or Standard UI). 
    3. The user must keep the browser window open for some period of time, allowing an injected JavaScript from the attacker's site to execute in the background. This script currently siphons off email within the user's mailbox, but does not appear to compromise the Zimbra server itself, other than the mailbox user's session and mailbox data. 

The publicly disclosed details of the exploit are at [ https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ | https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ ] and includes indicators of compromise, in addition to actionable countermeasures you can take now prior to the release of the hot fix in the Zimbra repo tomorrow. 

You may also be interested in John Holder's response in the Zimbra Forum: [ http://forums.zimbra.com/viewtopic.php?f=15&t=70382&sid=45d617b097e93b76061a52c5df000104&start=10#p303849 | http://forums.zimbra.com/viewtopic.php?f=15&t=70382&sid=45d617b097e93b76061a52c5df000104&start=10#p303849 ] . The hotfix currently undergoing QA that Zimbra appears to be planning to make available in their repos for 8.8.15 tomorrow is located at: [ https://github.com/Zimbra/zm-web-client/pull/672 | https://github.com/Zimbra/zm-web-client/pull/672 ] 


Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 


From: "Barry de Graaff" <info at barrydegraaff.nl> 
To: "users" <users at lists.zetalliance.org> 
Sent: Friday, February 4, 2022 1:13:29 PM 
Subject: [Users] Hotfix Available 5 Feb for Zero-day Exploit Vulnerability in Zimbra 8.8.15 

Hello All, 

Hotfix Available 5 Feb for Zero-day Exploit Vulnerability in Zimbra 8.8.15 

https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20220204/6d107faf/attachment.html>

More information about the Users mailing list