Listen to this Post
Zimbra Collaboration Suite (ZCS) before version 8.8.15 Patch 7 contains a Server-Side Request Forgery (SSRF) vulnerability, catalogued as CVE-2020-7796 . This flaw exists specifically when the WebEx zimlet is installed and its associated JSP (Jakarta Server Pages) functionality is enabled . The vulnerability stems from insufficient validation of user-supplied input within the WebEx zimlet . A remote, unauthenticated attacker can exploit this by sending a specially crafted HTTP request to the server . This request tricks the Zimbra server into making unauthorized requests to internal or external systems on behalf of the attacker . The attack can be used to probe internal networks, access sensitive data on internal services that are not exposed to the internet, or chain with other vulnerabilities for remote code execution . Successful exploitation requires no user interaction and can lead to a full system compromise due to the high privileges under which the Zimbra service typically runs . The vulnerability is actively being exploited in the wild, making it a critical threat to unpatched systems .
Platform: Zimbra
Version: Before 8.8.15 Patch7
Vulnerability : SSRF
Severity: Critical
date: February 18, 2020
Prediction: Patch already available
What Undercode Say:
Analytics
- CVSS v3.1 Score: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- EPSS Score: 0.90602 (Very High Exploitation Probability)
- CWE: CWE-918 (Server-Side Request Forgery)
- Exploit Status: Actively exploited in the wild
Exploit:
The vulnerability can be triggered by sending a malicious HTTP request to the server when the WebEx zimlet is installed. The exact proof-of-concept structure is not public in the search results, but the attack forces the server to make requests to arbitrary systems.
Example of a crafted request that could exploit SSRF This attempts to make the server query an internal service. The specific endpoint and parameters would target the vulnerable WebEx zimlet JSP. curl -v "https://target.zimbra.example/service/extension/webex/ssrf_vulnerable_endpoint?targetUrl=http://169.254.169.254/latest/meta-data/"
Protection from this CVE
- Apply Patch: Update Zimbra Collaboration Suite to version 8.8.15 Patch 7 or later immediately .
- Disable Zimlet: If immediate patching is not possible, disable the WebEx zimlet or the specific zimlet JSP functionality .
- Network Segmentation: Restrict outbound HTTP traffic from the Zimbra server to only necessary external services to limit the impact of an SSRF.
- Firewall Rules: Implement strict firewall rules to prevent the Zimbra server from accessing internal, sensitive IP ranges (e.g., 127.0.0.0/8, 169.254.169.254/32, 10.0.0.0/8) from the web application context.
Impact
- Confidentiality: An attacker can read sensitive data from internal systems not exposed to the internet (e.g., cloud metadata, internal databases) .
- Integrity: The SSRF can be used to make POST requests to internal APIs, potentially altering data or configurations on internal services.
- Availability: Can be used to scan and map internal networks or target internal services, potentially causing service disruption.
- Overall System Compromise: This SSRF can be a stepping stone for Remote Code Execution (RCE) by chaining with other vulnerabilities or attacking internal services .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

