Authentication Bypass in MailboxImportServlet vulnerability (reminder)
https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/

Attacker managed to upload files into Web Client directory

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 173
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Attacker managed to upload files into Web Client directory

Postby barrydegraaff » Wed Sep 14, 2022 11:03 am

yes, we have posted it on the blog just now, and we will also send it out via the newsletter etc.


--
Barry de Graaff
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
ghen
Advanced member
Advanced member
Posts: 125
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 8.8.15

Re: Attacker managed to upload files into Web Client directory

Postby ghen » Wed Sep 14, 2022 11:35 am

Barry

Would Zimbra consider (or support) running different components as different users, instead of running everything as "zimbra"?

This would prevent such cross-exploitation between different components on a single server, like from amavisd to mailboxd etc. There is no reason amavisd should be able to write in jetty webroot for example...
(I don't think the webroot should be writable at all btw, even for jetty itself, see ZBUG-2975.)

Large deployments can avoid this by running all components separately on dedicated servers, but this is not practical for small deployments (and even on large ones, Zimbra components are often co-hosted).
Started_how
Posts: 1
Joined: Wed Sep 14, 2022 12:40 pm

Re: Attacker managed to upload files into Web Client directory

Postby Started_how » Wed Sep 14, 2022 12:46 pm

Can you link to publications on this topic?
phoenix
Ambassador
Ambassador
Posts: 27085
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Attacker managed to upload files into Web Client directory

Postby phoenix » Wed Sep 14, 2022 2:47 pm

Started_how wrote:Can you link to publications on this topic?
The details have already been given in this thread and it's also been mentioned that there's a blog entry on the topic.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
sotruongdo
Posts: 1
Joined: Thu Sep 15, 2022 1:42 am

Re: Attacker managed to upload files into Web Client directory

Postby sotruongdo » Thu Sep 15, 2022 1:48 am

yeak wrote:
Klug wrote:@Yeak, which OS are you running?

pax is in the "prerequisites" of Zimbra with Ubuntu (see here: https://wiki.zimbra.com/wiki/Ubuntu_Upgrades)
I'm quite sure it is for RHEL/CentOS too.


Yes, CentOS 7.9.

Many of our setup use Minimal OS package then begin Zimbra installation. I will get my team to add pax immediately for all deployments.

Hi sir,
Can you send me a copy of the malicious file, i want to research it more, sorry the new account can't send private messages.
Thanks!
tinnh1
Posts: 2
Joined: Thu Sep 22, 2022 8:39 am

Re: Attacker managed to upload files into Web Client directory

Postby tinnh1 » Fri Sep 23, 2022 1:57 am

Hi @yeak, Can you send me a copy of the malicious file, i want to research it more, sorry the new account can't send private messages.
admin_erdemkiramer
Posts: 1
Joined: Wed Sep 28, 2022 2:54 pm

Re: Attacker managed to upload files into Web Client directory

Postby admin_erdemkiramer » Wed Sep 28, 2022 3:25 pm

Hi, @yeak I represent the Turkish company Erdem Kiramer TR. We are very concerned about this vulnerability, since we use Zimbra in the company on Centos 7 OS :? . We tried to fix this problem, but we are not sure that everything has been fixed. Could you please email: journal@erdemkiramer.com us a sample file news.jpg to verify that the problem has been fixed?
isol
Posts: 9
Joined: Fri Jun 17, 2022 8:04 am

Re: Attacker managed to upload files into Web Client directory

Postby isol » Mon Oct 10, 2022 9:58 am

barrydegraaff wrote:yes, we have posted it on the blog just now, and we will also send it out via the newsletter etc.

we get no newsletter :( last Newsletter was 10.08.22 18:41 about the "Security Notification: Authentication Bypass in MailboxImportServlet vulnerability"

did you send a newsletter? we get no info, and the exploid is actively used.
robertvon
Posts: 6
Joined: Wed Sep 21, 2016 1:23 pm
ZCS/ZD Version: ZCS 8.8.15-P32 FOSS

Re: Attacker managed to upload files into Web Client directory

Postby robertvon » Tue Oct 11, 2022 8:16 am

Hi, we also get non newsletter.
Two of our server were exploited because of the vulnerability.
At this time AFAIK the attacker uploaded a malicious file called ZimbraBoot.jsp in /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp
which seems to be a shell.
If someone wants the file contact me
We continue our investigation on our systems

I'm sorry but: barrydegraaff no newsletter here nor other pieces of advise shame on Zimbra & Synacor
halfgaar
Advanced member
Advanced member
Posts: 111
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Zimbra version doesn't fit in field

Re: Attacker managed to upload files into Web Client directory

Postby halfgaar » Tue Oct 11, 2022 7:13 pm

I also got no newsletter. I only just now got an e-mail from the team, labelled "Security Alert: Amavis and Pax".

When I just saw this forum post, I remembered actually getting an e-mail with a news.jpg without content. At the time, the thought of malicious content did run through my head (because there was no other angle to the mail), but I abandoned it. I was protected luckily, by having Ubuntu with Pax, and again by my webproxy shielding access to the HTTPS port of Zimbra.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 39 guests