Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

I modified mine on the proxy honeypot :

Code: Select all

        this.registerSetting("BRANCH",                                                  {type:ZmSetting.T_CONFIG, defaultValue :"ABBA"});

        // next 3 are replaced during deployment
        this.registerSetting("CLIENT_DATETIME",                                 {type:ZmSetting.T_CONFIG, defaultValue:"20060324-1035"});
        this.registerSetting("CLIENT_RELEASE",                                  {type:ZmSetting.T_CONFIG, defaultValue:"20060324099924"});
        this.registerSetting("CLIENT_VERSION",                                  {type:ZmSetting.T_CONFIG, defaultValue:"6.2.0_GA_2468"});
They still try the default set of urls.
ghandalf
Posts: 2
Joined: Wed Aug 17, 2022 11:19 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by ghandalf »

Hi,

we are also on Zimbra 8.8.15 NE P32, but I don't want to update yet, also because of the HTML formatting issue.

I have added the workaround on nginx on our mta server and I wanted to ask, if this is really enough to disable this attack possibility?

Code: Select all

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
->
    location ^~ /service/extension/backup/mboximport {
        # Location block to mboximport
       
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }
    
zmproxyctl restart
What I see now in the nginx access logs a 403 instead of a 401.

Code: Select all

before:
185.186.245.36:43700 - - [15/Aug/2022:18:48:13 +0000]  "POST https://URL/service/extension/backup/mboximport?account-name=admin@example.com&account-status=1&ow=cmd HTTP/1.1" 401 924 "-" "python-requests/2.27.1" "a.b.c.d:7443" "e.f.g.h:443"

after:
37.252.254.33:52500 - - [17/Aug/2022:06:11:09 +0000]  "POST https://external-ip/service/extension/backup/mboximport?account-name=admin&account-status=active&ow=1&switch-only=0&no-switch=1&append=1 HTTP/1.1" 403 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" "-" "a.b.c.d:443"
I only want to be sure, that the server can't be attacked anymore with this kind of security bug.

Best regards
Ghandalf
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

That should work, for now. But, once that Nginx template gets replaced, your mitigation is gone. Also, did you do all the checks from this discussion to scan if you've already been hacked? Because if the webshell is installed, they have access through that.

If you're editing the Nginx template anyway, you might as well add a similar block for the webshell they use (someone mentioned it here before).
Stinh34
Posts: 1
Joined: Wed Aug 17, 2022 3:58 pm

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by Stinh34 »

Hi,

Is there a way to delete this mboximport servlet ? Deleting zimbrabackup.jar ?
This service seems open on external port 443 (not only 7071 closed on firewall ).

Thanks
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

You can always try to rename it and see if stuff breaks.

Personally, I think it's just a matter of time until another jar file is abused. The problem is that apparently when writing functionality, the developers have to remember to validate authentication. How it should work, is that the webserver should verify authentication before accessing any code. That's what Zimbra should fix. I would do that with the 'auth_request' directive in Nginx, so that Nginx will refuse to touch application code if there is no proper session, but perhaps I should take that up somewhere else.
ghandalf
Posts: 2
Joined: Wed Aug 17, 2022 11:19 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by ghandalf »

halfgaar wrote:That should work, for now. But, once that Nginx template gets replaced, your mitigation is gone. Also, did you do all the checks from this discussion to scan if you've already been hacked? Because if the webshell is installed, they have access through that.

If you're editing the Nginx template anyway, you might as well add a similar block for the webshell they use (someone mentioned it here before).
Hi Halfgaar,

yes, there have been some shells on the store, but I think, I have removed all of them...
I have a test server with same version and I have made a file diff and md5sum of the files.

I hope, we are good for the moment, but true, there have been a lot of similar issues in the past with zimbra, which makes it very difficult to maintain for an admin.

BR Ghandalf
paskk
Posts: 18
Joined: Fri Aug 19, 2022 8:40 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by paskk »

We were attacked aswell, but everything got 404'ed due to running a FOSS version here.

188.241.157.154 - - [19/Aug/2022:06:25:36 +0000] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.0" 404 417 "-" "python-requests/2.28.1" 1


Our zimbra server is basicly the only open port 443 (webmail & zpush activesync)
We only have the webmail open for the zpush service. I have been looking into nginx proxy to put in front of the zimbraserver to see if we can shutoff all URL redirects and only leave the zpush one open.
I am just a bit at a loss where to start on nginx doc/guide and how to actually build a proper config or know of a better way to accomplish this with zimbra itself?

Anyone can point me in the right direction would be much appreciated.

Thanks
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

You need an Nginx proxy with several 'location' blocks. You can then simply deny access with 'deny from all' in all blocks, except the locations used for Z-Push.

I'd set up a normal proxy first, there are enough guides for that, and then look at the access log when you interact with Zpush to see what URLs you need.

I suggest you start a new forum thread (because this one maybe should mostly be about dealing with the hack), and I can help you out as you go.
darkfader
Posts: 20
Joined: Sat Dec 11, 2021 11:39 pm

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by darkfader »

So now after rebuilding one customer's Zimbra in a slightly cleaner fashion, I got a few questions left.
I would suppose many of the gov users of Zimbra have similar questions, or if they're too small, they just need someone to ask them for them.

- Have there been regular audits of priviledge decision related code?
- If not, is there a plan to implement them?
- Are static analysis tools in place along with the neccessary time commitment for their optimal use?
- If not, is there a plan to implement them?
- Have there been independent audits of priviledge related code
- If not, is there a plan to establish in the future?
- Is there a plan to look into and support users creating stopgap measures using mod_security?
- Is there a plan to deliver working fail2ban configs for multiport banning and ensuring the regexes are kept up to date, by you, the developers?
- Is there a plan for supporting SELinux targets in the future?
- Is there a plan to deliver supported, working SELinux policies in the future?
- Is there a plan for supporting AppArmor profiles in the future?
- Is there a plan to deliver supported, working AppArmor profiles in the future?
- Will there be a manual for some kind of evaluated standard profiles that cover deeper security measures than what the current documentation shows?
(from restrictions of POST requests to non-neccessary paths, to enabling use of chatttr uappend on log files and removing the availabilty to create files)

If you cannot answer these outside of a support ticket, please let me know - so this can be communicated via a channel you deem appropriate.
coco6612001
Posts: 1
Joined: Fri Aug 26, 2022 3:23 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by coco6612001 »

i want to ask something
one of my customer has his zimbra behind vpn and firewall
is it still urgent to address this bug?
Post Reply