Detect Zimbra Collaboration Suite SSRF Exploitation (CVE-2020-7796) in Splunk
Detects exploitation attempts targeting CVE-2020-7796, a Server-Side Request Forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This vulnerability allows unauthenticated remote attackers to make the Zimbra server issue arbitrary HTTP requests to internal or external resources, potentially enabling internal network scanning, credential theft, or pivoting to internal services.
MITRE ATT&CK
SPL Detection Query
index=web OR index=proxy OR index=iis sourcetype IN ("iis", "access_combined", "zimbra:access", "pan:traffic")
(uri_path IN ("/service/proxy", "/zimlet/*", "/service/extension/*") OR url IN ("/service/proxy*", "/zimlet/*"))
(uri_query="*target=*" OR uri_query="*host=*" OR uri_query="*url=http*" OR uri_query="*backend=*" OR uri_query="*redirect=http*")
| rex field=uri_query "(?i)(?:target|host|url|backend|redirect)=(?<ssrf_target>[^&\s]+)"
| where match(ssrf_target, "(?i)(169\.254\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|localhost|127\.0\.0\.1|metadata\.google|metadata\.internal|169\.254\.169\.254)")
| eval severity=case(
match(ssrf_target, "169\.254\.169\.254"), "critical",
match(ssrf_target, "(?i)(localhost|127\.0\.0\.1|::1)"), "high",
true(), "medium"
)
| stats count AS request_count, dc(ssrf_target) AS unique_targets, values(ssrf_target) AS targets, values(status) AS http_statuses, min(_time) AS first_seen, max(_time) AS last_seen BY src_ip, host, uri_path, severity
| where request_count >= 1
| sort -request_count
| convert ctime(first_seen) ctime(last_seen)
| table first_seen, last_seen, src_ip, host, uri_path, ssrf_target, unique_targets, targets, http_statuses, request_count, severityDetects SSRF exploitation of Zimbra ZCS by searching web access logs for requests to known vulnerable endpoints containing internal or metadata service URLs in query string parameters.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Zimbra inter-server communication using proxy endpoints for legitimate mail federation
- Authorized penetration testing or vulnerability scanning activity
- Zimbra health monitoring tools that probe internal endpoints via the proxy interface
Other platforms for CVE-2020-7796
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Zimbra SSRF via /service/proxy to Internal Metadata Service
Expected signal: HTTP GET request to /service/proxy with target parameter set to 169.254.169.254 visible in Zimbra access logs; outbound network connection from Zimbra server to 169.254.169.254:80 visible in network flow data
- Test 2Zimbra SSRF Internal Port Scan via /service/proxy
Expected signal: Multiple sequential requests to /service/proxy with varying port numbers in the target parameter; outbound connections from Zimbra host to internal IP across multiple ports within a short time window
- Test 3Zimbra SSRF to Internal Admin Interface via /zimlet/ Endpoint
Expected signal: HTTP GET to /zimlet/ endpoint with backend parameter containing 127.0.0.1 and internal admin port 7071; loopback connection attempt from Zimbra process visible in netstat/ss output or network telemetry
- Test 4Zimbra SSRF Credential Harvest via AWS EC2 Metadata
Expected signal: Two sequential requests to /service/proxy with IMDSv1 paths in target parameter; successful 200 response containing JSON with AccessKeyId, SecretAccessKey, and Token fields if running on AWS EC2 without IMDSv2 enforcement
Unlock Pro Content
Get the full detection package for CVE-2020-7796 including response playbook, investigation guide, and atomic red team tests.