Zimbra has released security updates to address vulnerabilities affecting Ubuntu and Redhat installation versions.

Affected systems

Affected systems include Zimbra 9.0.0 Patch-27 and Zimbra 8.8.8.15 Patch-34

Security Risks

• An attacker can use the cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio.

• Zimbra's sudo configuration permits the Zimbra user to execute the zmslapd binary as root with arbitrary parameters.

• XSS can occur via one of the attributes of an IMG element, leading to information disclosure.

• XSS can occur via one attribute in the search component of webmail, leading to information disclosure.

• XSS can occur via one of the attributes in composing a component of webmail, leading to information disclosure.

• XSS can occur via one of the attributes in the calendar component of webmail, leading to information disclosure.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators:

a. Follow the advisory shared by Zimbra and apply suggested mitigations to lower the risk of vulnerability exploitation.

c. Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009

References

 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes  https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34#Security_Fixes

https://thehackernews.com/2022/10/zimbra-releases-patch-for-actively.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-228a