I would like to disclose a vulnerability I discovered in Zimbra which needs to be patched urgently.
4.5, 5.0.16GA and 6 Beta 2 are all affected.
The initial response from support@zimbra.com has been unhelpful and I do not want to report this on your public bugtracker.
Please contact me at hubert at itsecurity.net
7-1-09 security patch
-
zombiewithamasseffect
- Posts: 4
- Joined: Sat Sep 13, 2014 12:31 am
7-1-09 security patch
I commend you for trying to handle this in a responsible manner.
-
8243Hubert
- Posts: 13
- Joined: Sat Sep 13, 2014 12:31 am
7-1-09 security patch
I have done some more research on this with a colleague and the issue is highly critical.
If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.
As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.
Still waiting to be contacted by Zimbra...
If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.
As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.
Still waiting to be contacted by Zimbra...
7-1-09 security patch
I have moderated this post until one of the employees respond; this is for the safety on the community.
7-1-09 security patch
[quote user="uxbod"]I have moderated this post until one of the employees respond; this is for the safety on the community.[/QUOTE]
I'm trying to get the details offline.
--Quanah
I'm trying to get the details offline.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
7-1-09 security patch
itsecurity.net doesn't resolve. It is the MX record for the domain, so if he's expecting someone to email him, he's not going to get it.
-
8243Hubert
- Posts: 13
- Joined: Sat Sep 13, 2014 12:31 am
7-1-09 security patch
My domain should be working again now (it has nothing about this bug on it at this time).
Yes it's real, Zimbra have confirmed the issues and are working on a patch.
Yes it's real, Zimbra have confirmed the issues and are working on a patch.
7-1-09 security patch
I'm re moderating this post. We have been in contact with the reporter, and are actively investigating and patching the issue.
Once we announce it, this thread will be republished.
Once we announce it, this thread will be republished.
7-1-09 security patch
I received email apparently from support@zimbra.com indicating that all current versions of Zimbra have a security vulnerability. The email had instructions and a download link for a patch. Problem is, the email was sent through a mailing list company and I can't verify that Zimbra sent it. Second, there is no reference (that I can find) in the forums or web site about this.
There is no way I'm installing this without something on the web site.
Is this a forgery or does Zimbra not have a clue how to alert their users?
There is no way I'm installing this without something on the web site.
Is this a forgery or does Zimbra not have a clue how to alert their users?