CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yeeP6rai
Posts: 41
Joined: Mon Feb 12, 2018 10:16 am

Re: CVE-2019-9670 being actively exploited

Post by yeeP6rai »

maxxer wrote:
yeeP6rai wrote:Yes... Thanks
along with them I found also some .class files with the same basename of .java
I found too .class files)
srekkas
Posts: 1
Joined: Thu Apr 11, 2019 9:28 am

Re: CVE-2019-9670 being actively exploited

Post by srekkas »

What about these files

140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

srekkas wrote:What about these files
I don't know if they're original zimbra files or not, but I think so.

Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't recall if the discussion went on, I found way to do that for Ubuntu and RHEL.

For the first

Code: Select all

apt install debsums
dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
for the latter

Code: Select all

rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
They list all the changed files form the originally installed content. Some changes are legit, but there are changed files which remains unknown to me. Like the _public ones above. On Ubuntu the output is shorter, while on RHEL (8.6) I get really a lot of files (js, zgz, properties...). Wondering if it's really useful
yeeP6rai
Posts: 41
Joined: Mon Feb 12, 2018 10:16 am

Re: CVE-2019-9670 being actively exploited

Post by yeeP6rai »

maxxer wrote:

Code: Select all

rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
l
some correction

Code: Select all

rpm -qa "zimbra*" | xargs rpm -qV - | egrep -E '^.{2}5'
Output codes:
S = File size changed
M = File mode changed
5 = MD5 checksum changed
L = Symlink changed
U = Owner changed
G = Group changed
T = Modification time changed
c = it is a configuration file that has changed
missing = file is gone.
Jgarcia
Posts: 1
Joined: Fri Apr 12, 2019 6:28 pm

Re: CVE-2019-9670 being actively exploited

Post by Jgarcia »

Hi,

How to know if your server is still vulnerable after apply the patch ?

I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?

Thank you for the information.
kclo2000
Posts: 3
Joined: Wed Apr 10, 2019 4:58 pm

Re: CVE-2019-9670 being actively exploited

Post by kclo2000 »

Other than apply patch, any workaround which can apply to platform.

Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: CVE-2019-9670 being actively exploited

Post by halfgaar »

I was looking into the possibility of setting HTTP auth on Nginx. It would have to be such that /dav/ is exempt, because Android carddav and caldav can't work with HTTP logins.

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.

I may also set up an Nginx proxy on another server.

I will post back when I have something useful.
tin
Posts: 11
Joined: Wed Jan 17, 2018 2:32 am

Re: CVE-2019-9670 being actively exploited

Post by tin »

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
The second and third posts in this thread have some links in them that give you descriptions of this exploit, you should read them.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something). there are several links in the thread with full history of the exploit, and also Zimbra blog has references
Post Reply