304 North Cardinal St.
Dorchester Center, MA 02124
Vulnerabilities in Zimbra, an open email platform available on Windows, Linux, Android and iOS, could be exploited by attackers to run arbitrary code and bypass security restrictions on targeted systems.
Vulnerabilities in Zimbra, an email client that competes with established products such as Microsoft Outlook, Amazon WorkMail and Yahoo Business Mail, exist due to flaws in authentication processes, path traversal and remote code execution.
A remote code execution vulnerability could be exploited by an attacker with administrative privileges to launch a specially crafted request to upload arbitrary files. After gaining entry, an attacker can browse directories and passcodes, data, credentials, and sensitive operating files. The vulnerability exists due to incorrect upload of files using the mboximport function.
A remote attacker could exploit this vulnerability by sending a specially crafted request to the target system. Successful exploitation of this vulnerability could allow attackers to bypass system security restrictions and prepare additional attacks. The vulnerability also exists due to improperly uploading files using the mboximport function.
A path traversal vulnerability could allow an unauthenticated attacker to gain access to sensitive information on a target system by executing arbitrary code on the target system. This vulnerability exists in the Unrar tool used in Zimbra due to improperly restricting the pathname to a restricted directory.
The alert from CERT-In also noted that remote code execution vulnerabilities, when used in conjunction with path traversal errors, could allow attackers to remotely conduct attacks that could result in severe criticality and compromise servers used by Zimbra’s mail services.
CERT-In noted that very serious vulnerabilities exist in Zimbra Collaborative versions before 9.00.0, 8.8.15 and RARLAB UnRAR before 6.12 on Linux and UNIX.
It is suggested to use the latest software patches available on the Zimbra website to fix these vulnerabilities.