Login

Cve20207796 Zimbra Collaboration Suite Full ❲TESTED | 2024❳

Immediate actions (for administrators):

  • Disable unused services:
    If CalDAV or ProxyServlet are not required, disable them via zmprov:

    zmprov mcf zimbraReverseProxyAdminEnabled FALSE
zmprov mcf zimbraCalDAVEnabled FALSE

  • WAF rules:
    Block URL patterns containing /service/home/~/*?*fmt=* and any parameter with <script, javascript:, onerror=, etc. cve20207796 zimbra collaboration suite full

    • Let’s reconstruct how an attacker would exploit CVE-2020-27996 in the wild.

    The following versions of Zimbra Collaboration Suite are vulnerable: Immediate actions (for administrators):

    Zimbra (Synacor) acted quickly to address this issue, releasing patches in late 2020. To secure a Zimbra Collaboration Suite instance against CVE-2020-7796, administrators must take the following steps:

  • Integrity Checks: Administrators should scan the Zimbra installation directories (specifically /opt/zimbra/jetty/webapps/zimbra/public/ and similar directories) for unexpected .jsp files or files with timestamps that do not align with the installation date.
  • Network Segmentation: Restrict access to the Zimbra administrative ports (ports 7071 and 9071) to trusted IP addresses only. While the exploit could work over standard ports in some cases, restricting admin access is a critical defense-in-depth strategy.

    • This vulnerability has been widely exploited in the wild. Shortly after the publication of the Proof of Concept (PoC) code, automated bots began scanning the internet for vulnerable Zimbra servers. Security researchers observed that threat actors were utilizing this flaw to deploy web shells (such as kthxm.jsp or variations of the "China Chopper" shell) to establish persistent access. In many cases, the attacks were not immediately destructive; instead, actors silently exfiltrated data or used the compromised mail servers to send spam and phishing emails to other organizations. Disable unused services: If CalDAV or ProxyServlet are

    Unlike many vulnerabilities that yield limited access (e.g., file read only, or authenticated RCE), CVE-2020-27996 allows an unauthenticated remote attacker to execute arbitrary system commands with the privileges of the Zimbra service user (typically zimbra). This is the equivalent of handing over the keys to the kingdom.

  • Chaining with CVE-2020-27995 (Auth Bypass):
    Researchers discovered that CVE-2020-27996 is particularly dangerous when combined with CVE-2020-27995 – an authentication bypass in Zimbra’s ProxyServlet. That flaw allowed an unauthenticated attacker to access any user’s mailbox folder directly, including the Calendar or Briefcase. Chaining them gives:

    • Shortly after disclosure, proof-of-concept (PoC) code became publicly available. Due to the ease of exploitation (sending a malicious email), this vulnerability was widely exploited in the wild by botnets and advanced persistent threat (APT) actors.

     

    Immediate actions (for administrators):

  • Disable unused services:
    If CalDAV or ProxyServlet are not required, disable them via zmprov:

    zmprov mcf zimbraReverseProxyAdminEnabled FALSE
zmprov mcf zimbraCalDAVEnabled FALSE

  • WAF rules:
    Block URL patterns containing /service/home/~/*?*fmt=* and any parameter with <script, javascript:, onerror=, etc.

    • Let’s reconstruct how an attacker would exploit CVE-2020-27996 in the wild.

    The following versions of Zimbra Collaboration Suite are vulnerable:

    Zimbra (Synacor) acted quickly to address this issue, releasing patches in late 2020. To secure a Zimbra Collaboration Suite instance against CVE-2020-7796, administrators must take the following steps:

  • Integrity Checks: Administrators should scan the Zimbra installation directories (specifically /opt/zimbra/jetty/webapps/zimbra/public/ and similar directories) for unexpected .jsp files or files with timestamps that do not align with the installation date.
  • Network Segmentation: Restrict access to the Zimbra administrative ports (ports 7071 and 9071) to trusted IP addresses only. While the exploit could work over standard ports in some cases, restricting admin access is a critical defense-in-depth strategy.

    • This vulnerability has been widely exploited in the wild. Shortly after the publication of the Proof of Concept (PoC) code, automated bots began scanning the internet for vulnerable Zimbra servers. Security researchers observed that threat actors were utilizing this flaw to deploy web shells (such as kthxm.jsp or variations of the "China Chopper" shell) to establish persistent access. In many cases, the attacks were not immediately destructive; instead, actors silently exfiltrated data or used the compromised mail servers to send spam and phishing emails to other organizations.

    Unlike many vulnerabilities that yield limited access (e.g., file read only, or authenticated RCE), CVE-2020-27996 allows an unauthenticated remote attacker to execute arbitrary system commands with the privileges of the Zimbra service user (typically zimbra). This is the equivalent of handing over the keys to the kingdom.

  • Chaining with CVE-2020-27995 (Auth Bypass):
    Researchers discovered that CVE-2020-27996 is particularly dangerous when combined with CVE-2020-27995 – an authentication bypass in Zimbra’s ProxyServlet. That flaw allowed an unauthenticated attacker to access any user’s mailbox folder directly, including the Calendar or Briefcase. Chaining them gives:

    • Shortly after disclosure, proof-of-concept (PoC) code became publicly available. Due to the ease of exploitation (sending a malicious email), this vulnerability was widely exploited in the wild by botnets and advanced persistent threat (APT) actors.

    Login