CVE-2021-35299
📋 TL;DR
This vulnerability in Zammad allows attackers to probe email connection configurations and obtain sensitive information like email server credentials. It affects all Zammad installations from version 1.0.x up to 4.0.0. Attackers can exploit this without authentication to access configuration details.
💻 Affected Systems
- Zammad
📦 What is this software?
Zammad by Zammad
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain email server credentials, leading to email account compromise, data exfiltration, and potential lateral movement to other systems.
Likely Case
Attackers harvest email server addresses, authentication methods, and potentially credentials, enabling further attacks against email infrastructure.
If Mitigated
With proper network segmentation and access controls, impact is limited to configuration disclosure without credential access.
🎯 Exploit Status
Exploitation requires sending crafted requests to specific endpoints; tools and scripts are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.1
Vendor Advisory: https://zammad.com/en/advisories/zaa-2021-02
Restart Required: Yes
Instructions:
1. Backup your Zammad instance. 2. Update to Zammad 4.0.1 or later. 3. Restart Zammad services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to Zammad web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Web Application Firewall Rule
allBlock requests to vulnerable endpoints (/api/v1/integration/email/*)
ModSecurity: SecRule REQUEST_URI "@beginsWith /api/v1/integration/email" "id:1001,phase:1,deny,status:403"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zammad from untrusted networks
- Monitor and alert on access attempts to email configuration endpoints
🔍 How to Verify
Check if Vulnerable:
Send GET request to /api/v1/integration/email/test and check if configuration details are returned without authenticationCheck Version:
zammad versionVerify Fix Applied:
After updating to 4.0.1+, attempt the same request and verify it returns authentication error or no sensitive data📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/v1/integration/email/* endpoints
- Multiple failed authentication attempts followed by email endpoint access
Network Indicators:
- Unusual traffic patterns to email configuration endpoints
- Requests from unexpected IP addresses to sensitive API paths
SIEM Query:
source="zammad" AND (uri="/api/v1/integration/email/*" AND status=200) AND user="-"