So my server is updated and I ran an exploit tester and you can still get in through CVE-2022-27925
Is there a specific updated file I can copy in my zimbra app to make sure they didn't replace it with an old one.
Security Update: Authentication Bypass in MailboxImportServlet vulnerability
-
- Outstanding Member
- Posts: 264
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
We just blocked the MailboxImportServlet URL on proxy, in nginx.conf.web.https.default.template:
Code: Select all
# block MailboxImportServlet requests for CVE-2022-37042 exploit
location = /service/extension/backup/mboximport {
return 403;
}
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
We've seen a spate of attempts on this again recently :
This is the first lot since we've added an extra reverse proxy in front of Zimbra to hide it from the likes of shodan.io. Also notice they've changed the identifier, as previously they were using python-requests.
Code: Select all
194.87.31.144 - - [13/Dec/2022:01:05:48 +0800] "POST /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1 HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:01:05:49 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:01:05:50 +0800] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.1" 403 187 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:01:05:51 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:04:40:30 +0800] "POST /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1 HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:04:40:31 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:04:40:33 +0800] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.1" 403 187 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F"
194.87.31.144 - - [13/Dec/2022:04:40:33 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:02 +0800] "POST /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1 HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:03 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:05 +0800] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:05 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36"
-
- Advanced member
- Posts: 173
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
If you have a proxy, then how are they able to POST to your server?
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
They're not. Those logs are from the proxy. The server never sees them at all.halfgaar wrote:If you have a proxy, then how are they able to POST to your server?
-
- Advanced member
- Posts: 173
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
In that case I'm curious how they found your proxy. My proxy only has our own activity in the logs.
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
My theory is via IMAPS. Because I still have that exposed and it identifies itself as Zimbra. That's remaining thing I haven't yet figured out how to isolate.halfgaar wrote:In that case I'm curious how they found your proxy. My proxy only has our own activity in the logs.
-
- Advanced member
- Posts: 173
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
If the proxy is on another IP address, it should be impossible to detect its presence if you take a few precautions:
On a side note: I use ipset+iptables to load files from https://www.ipdeny.com/ to block some IMAP access. One could even do it on an allow-list basis, if you know where your user base is. It's a bit on the 'security through obscurity' spectrum, but I liked experimenting with it. Warning: it takes special care to not create firewall load errors on server boot, because these IP sets needed to loaded first.
- Don't make it respond on the default virtual host on the webserver i.e. when you probe it's IP address.
- Don't support AXFR (zone transfer) on your domain name, lest you expose all your records, including things like webproxy.yourdomain.com.
On a side note: I use ipset+iptables to load files from https://www.ipdeny.com/ to block some IMAP access. One could even do it on an allow-list basis, if you know where your user base is. It's a bit on the 'security through obscurity' spectrum, but I liked experimenting with it. Warning: it takes special care to not create firewall load errors on server boot, because these IP sets needed to loaded first.
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
I've just modified the conf/nginx/templates/nginx.conf.mail.template to report something else. Let's see if that settles things down.BradC wrote:My theory is via IMAPS. Because I still have that exposed and it identifies itself as Zimbra. That's remaining thing I haven't yet figured out how to isolate.halfgaar wrote:In that case I'm curious how they found your proxy. My proxy only has our own activity in the logs.
I already do those things, and they reduced the probes from > 20 / day to maybe once a week.halfgaar wrote:If the proxy is on another IP address, it should be impossible to detect its presence if you take a few precautions:
- Don't make it respond on the default virtual host on the webserver i.e. when you probe it's IP address.
- Don't support AXFR (zone transfer) on your domain name, lest you expose all your records, including things like webproxy.yourdomain.com.