CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
Hi guys,
first of all: many thanks for the contributors to this topic, I was one of the lazy stupids that did not patch in time and got hacked.
Now I have a question: what if the attacker has dumped the whole ldap tree , complete with usernames and passwords?
How strong is password encryption in Zimbra?
Thanks
A.T.
first of all: many thanks for the contributors to this topic, I was one of the lazy stupids that did not patch in time and got hacked.
Now I have a question: what if the attacker has dumped the whole ldap tree , complete with usernames and passwords?
How strong is password encryption in Zimbra?
Thanks
A.T.
Re: CVE-2019-9670 being actively exploited
The only cleartext passwords that zimbra stores on a file are those on /opt/zimbra/conf/localconfig.xml. And are the passwords that let access the ldap. And you can change them in no time with zmldappasswdBittone wrote:complete with usernames and passwords?
Passwords are not stored anywhere. Only salted hashes. Having only the hashes is hard (but not impossible) get back the passwords. You have crack it offline, but with distributed tools like john the ripper, it's not so hard.
You have all the time to tell you users to change their pwd.
If you stored a passwords.txt file with zimbra:zimbra rights on /opt/zimbra with all your cleartext passwords, well this could be worse
Re: CVE-2019-9670 being actively exploited
Hi Gabrieles,
yes I knew that much, my only concern is that I did not find a reference to what hashing algorithm is currently used by Zimbra (8.7.xx).
Thanks you
A.T.
yes I knew that much, my only concern is that I did not find a reference to what hashing algorithm is currently used by Zimbra (8.7.xx).
Thanks you
A.T.
Re: CVE-2019-9670 being actively exploited
Hi all, and thank you for this great thread. Actually we have got some trouble with this CVE.
On an our server (8.7.11) that I have just patched with the latest patch (8.7.11_P11) just right 2 fuc_ing days ago.
Maybe i think that the attacked got me a couple of day before the patch.
We have already cleanup the system and reset all the password, as per your previous indication (like this great post did: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/)
but for a reason that i really can't understand we still get 403 error when we try to access to both frontend and backend (:7071).
Any clue of what could be done in order to debug or fix that problem?
Because from the /opt/zimbra/log i can't get any valid ideas of debugging.
Thank you.
On an our server (8.7.11) that I have just patched with the latest patch (8.7.11_P11) just right 2 fuc_ing days ago.
Maybe i think that the attacked got me a couple of day before the patch.
We have already cleanup the system and reset all the password, as per your previous indication (like this great post did: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/)
but for a reason that i really can't understand we still get 403 error when we try to access to both frontend and backend (:7071).
Any clue of what could be done in order to debug or fix that problem?
Because from the /opt/zimbra/log i can't get any valid ideas of debugging.
Thank you.
Re: CVE-2019-9670 being actively exploited
If i login into the administrative interface with the URL:
https://MYDOMAIN:7071/zimbraAdmin/
I can enter into the administrative panel.
But if I try to enter with the URL:
https://MYDOMAIN:7071
or only
https://MYDOMAIN
i always receive 403 error.
Also if, from the administrative area I try to see the mailbox, that open that URL:
https://MYDOMAIN:8443/mail?adminPreAuth=1
this time I get a 404 error.
It's look like something missing from a webserver point of view.
Any clue?
https://MYDOMAIN:7071/zimbraAdmin/
I can enter into the administrative panel.
But if I try to enter with the URL:
https://MYDOMAIN:7071
or only
https://MYDOMAIN
i always receive 403 error.
Also if, from the administrative area I try to see the mailbox, that open that URL:
https://MYDOMAIN:8443/mail?adminPreAuth=1
this time I get a 404 error.
It's look like something missing from a webserver point of view.
Any clue?
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2019-9670 being actively exploited
Are the zimbraPublicService* variables set for your domain(s)?
Re: CVE-2019-9670 being actively exploited
yes they are:
zmprov mcf zimbraPublicServicePort 443
zmprov mcf zimbraPublicServiceProtocol https
zmprov mcf zimbraPublicServiceHostname MYDOMAIN
zmprov mcf zimbraPublicServicePort 443
zmprov mcf zimbraPublicServiceProtocol https
zmprov mcf zimbraPublicServiceHostname MYDOMAIN
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2019-9670 being actively exploited
These are domain specific variables, not global.
You should set them for each domain.
zimbraPublicServiceHostname should be a FQDN, something like webmail.mydomain.tld.
You should set them for each domain.
zimbraPublicServiceHostname should be a FQDN, something like webmail.mydomain.tld.
Re: CVE-2019-9670 being actively exploited
Yes MYDOMAIN is something like "mail.MYDOMAIN.COM". so FQDN.
But i can't understand what you mean with "global" set of zimbraPublic* value
Please, can you point me to the right command to do that?
thank you
But i can't understand what you mean with "global" set of zimbraPublic* value
Please, can you point me to the right command to do that?
thank you
Re: CVE-2019-9670 being actively exploited
Because from there (https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached) i see:
This command sets mail.domain.com as the public hostname to be used for access to all domains in the Zimbra directory:
zmprov mcf zimbraPublicServiceHostname mail.domain.com
so it's look like global already. Or not?
This command sets mail.domain.com as the public hostname to be used for access to all domains in the Zimbra directory:
zmprov mcf zimbraPublicServiceHostname mail.domain.com
so it's look like global already. Or not?