Cve20207796 Zimbra Collaboration Suite Full Official

Let’s reconstruct how an attacker would exploit CVE-2020-27996 in the wild.

Shortly after disclosure, proof-of-concept (PoC) code became publicly available. Due to the ease of exploitation (sending a malicious email), this vulnerability was widely exploited in the wild by botnets and advanced persistent threat (APT) actors.

Immediate actions (for administrators):

zmprov mcf zimbraReverseProxyAdminEnabled FALSE
zmprov mcf zimbraCalDAVEnabled FALSE

| Affected Component | Consequence | |--------------------|--------------| | Webmail (Ajax & Modern UI) | Session hijacking, email theft, mass mailing from compromised accounts | | Admin Console (port 7071) | If an admin clicks the crafted link, attacker gains full server control (add accounts, change settings, execute commands via zimbraAttrs) | | Calendar sharing | Leak of calendar events, meeting invitations hijacked | | Briefcase (file storage) | Unauthorized download/upload of sensitive documents |

Zimbra allows extensions and custom handlers via Java servlets. One such servlet is the UserServlet (or ProxyServlet), which is designed to fetch resources on behalf of a user. This servlet accepts parameters that specify the target URL or resource path. Disable unused services: If CalDAV or ProxyServlet are

The flaw resides in how the servlet validates (or fails to validate) the file parameter. In a typical request:

https://zimbra.example.com/proxy?file=/some/localfile.txt

The servlet is supposed to restrict paths to within the Zimbra installation directory. However, due to insufficient sanitization, an attacker could supply a path with directory traversal (../) or inject command delimiters. due to insufficient sanitization

The attacker first checks if the target Zimbra server is vulnerable by sending a benign request to the proxy endpoint and examining the response headers or error messages.