{"id":22490,"date":"2023-07-17T16:11:04","date_gmt":"2023-07-18T00:11:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/07\/17\/news-16220\/"},"modified":"2023-07-17T16:11:04","modified_gmt":"2023-07-18T00:11:04","slug":"news-16220","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/07\/17\/news-16220\/","title":{"rendered":"Act now! In-the-wild Zimbra vulnerability needs a workaround"},"content":{"rendered":"

Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. In a security update<\/a> about the vulnerability, the company offered a temporary workaround which users can apply while waiting for a patch to be created.<\/p>\n

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.<\/p>\n

Zimbra is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform<\/a> back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software. Thousands of Zimbra mail servers were backdoored in a large scale attack exploiting that vulnerability.<\/p>\n

In our June 2023 ransomware review<\/a> we noted how the MalasLocker ransomware group had targeted vulnerabilities in Zimbra servers, including CVE-2022-24682<\/a>, to enable remote code execution (RCE). This resulted in MalasLocker taking first place on the list of known attacks over the month of May 2023, displacing perennial top-spot holder LockBit.<\/p>\n

\"May<\/figcaption>
Known ransomware attacks by gang, May 2023<\/em><\/figcaption><\/figure>\n

Since Zimbra mentions no further details, it is hard to determine what the exact problem is. Although the proposed fix (down below under Mitigation) suggest that there may be a problem which can be exploited by utilizing specially crafted XML files. By using the fn:escapeXml()<\/code> function, which escapes characters that can be interpreted as XML markup, users will manually add input sanitization.<\/p>\n

Zimbra makes no mention of active exploitation, but Google researcher Maddie Stone tweeted about another researcher in the Google Threat Analysis Group noticing the vulnerability being used in-the-wild in a targeted attack.<\/p>\n

\n

.@_clem1<\/a> discovered this being used in-the-wild in a targeted attack. Thank you to @Zimbra<\/a> for publishing this advisory and mitigation advice! If you run Zimbra Collaboration Suite, please go manually apply the fix! #itw0days<\/a> https:\/\/t.co\/lqwt0kOFWA<\/a><\/p>\n

— Maddie Stone (@maddiestone) July 13, 2023<\/a><\/p><\/blockquote>\n