Security Update: Authentication Bypass in MailboxImportServlet vulnerability

[jeastman]

Hello Zimbra Community,

We have had reports of a security vulnerability which is being actively exploited. Zimbra 8.8.15 patch 33 and Zimbra 9.0.0 patch 26 contain an important security update that fixes an authentication bypass in MailboxImportServlet (CVE-2022-37042 and CVE-2022-27925).

If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible.

Thanks.

[khawkins]

Are there any known indicators of an attempted/successful/unsuccessful exploit of this that you can share? I'm now on p33, but I waited longer than was advisable... p32 left me gun-shy.

[andras0602]

Many thanks for the information!
In this case could you escalate this bug further? https://github.com/Zimbra/zm-mailbox/pull/1277
More on the problem here: viewtopic.php?f=13&t=71022&start=4
And I just opened a support case too with the number of 01380475 https://support.zimbra.com/s/detail/5008Z00001yiTvpQAE

[BradC]

CVE-2022-37042 isn't even mentioned on the ZImbra Security advisories. So, are there any potential temporary/short-term mitigations that can be applied?

[GlooM]

CVE-2022-37042 isn't even mentioned on the ZImbra Security advisories. So, are there any potential temporary/short-term mitigations that can be applied?

I also did not find any mention of this vulnerability. If we talk about CVE-2022-27925, then, as I understand it, it is quite difficult to exploit it.
To exploit the vulnerability, you must be able to import archives into mailboxes (i.e., at least have a valid account). Correct me if I'm wrong.

[BradC]

CVE-2022-37042 isn't even mentioned on the ZImbra Security advisories. So, are there any potential temporary/short-term mitigations that can be applied?

I also did not find any mention of this vulnerability. If we talk about CVE-2022-27925, then, as I understand it, it is quite difficult to exploit it.
To exploit the vulnerability, you must be able to import archives into mailboxes (i.e., at least have a valid account). Correct me if I'm wrong.

A reference I found to the other vulnerability indicates it's an authentication bypass. Combine that with CVE-2022-27925 and I suppose bad stuff might happen.

[jamyles]

p33 does not appear to be on repo.zimbra.com, only p32. When will this be updated?

[Klug]

CVE IDs are not updated in the release notes, here for example: https://wiki.zimbra.com/index.php/Zimbr ... 8.8.15/P33
The same release notes suggest the issue is "medium" while Synacor urges us to upgrade (blog post, forum, etc).

Zimbra Security Advisories page in the wiki is not updated either, as BradC said.

[jeastman]

CVE IDs are not updated in the release notes, here for example: https://wiki.zimbra.com/index.php/Zimbr ... 8.8.15/P33
The same release notes suggest the issue is "medium" while Synacor urges us to upgrade (blog post, forum, etc).

Zimbra Security Advisories page in the wiki is not updated either, as BradC said.

I've been working with the team to get these updated. I had noted the same things. I will make sure that gets done.

Volexity has posted their findings in a new article: https://www.volexity.com/blog/2022/08/1 ... 022-27925/

[andras0602]

Are there any known indicators of an attempted/successful/unsuccessful exploit of this that you can share? I'm now on p33, but I waited longer than was advisable... p32 left me gun-shy.

check this article https://www.volexity.com/blog/2022/08/1 ... 022-27925/
They even made a Yara rule to find potential webshells, huge thumbs up for them!

I see similar POST requests in my servers access.log
Unfortunately, my oldest logs are from 13/Jul/2022 and I already see this Vultr owned attacker IP 45.77.77.50 in all my servers. Here is an example:

Code: Select all

access_log.2022-07-13:45.77.77.50 - - [13/Jul/2022:08:51:57 +0000] "POST /service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=true HTTP/1.1" 401 657 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0" 67
access_log.2022-07-13:45.77.77.50 - - [13/Jul/2022:08:53:32 +0000] "POST /service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=true HTTP/1.1" 401 657 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0" 7

The paches have been built a few days later and became available more later on. IMHO it's time for me to put all this java-based thing behind a VPN/firewall/whatever.