Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
twiggers
Posts: 7
Joined: Thu Aug 18, 2022 4:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by twiggers »

So my server is updated and I ran an exploit tester and you can still get in through CVE-2022-27925

Is there a specific updated file I can copy in my zimbra app to make sure they didn't replace it with an old one.
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by ghen »

We just blocked the MailboxImportServlet URL on proxy, in nginx.conf.web.https.default.template:

Code: Select all

 	     # block MailboxImportServlet requests for CVE-2022-37042 exploit
 	     location = /service/extension/backup/mboximport {
 	         return 403;
 	     }
 
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

We've seen a spate of attempts on this again recently :

Code: Select all

194.87.31.144 - - [13/Dec/2022:01:05:48 +0800] "POST /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1 HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:01:05:49 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:01:05:50 +0800] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.1" 403 187 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:01:05:51 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:04:40:30 +0800] "POST /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1 HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:04:40:31 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:04:40:33 +0800] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.1" 403 187 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F"
194.87.31.144 - - [13/Dec/2022:04:40:33 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:02 +0800] "POST /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1 HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:03 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:05 +0800] "POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd HTTP/1.1" 403 187 "-" "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36"
194.87.31.144 - - [13/Dec/2022:11:46:05 +0800] "GET /public/formatter.jsp HTTP/1.1" 404 598 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36"
This is the first lot since we've added an extra reverse proxy in front of Zimbra to hide it from the likes of shodan.io. Also notice they've changed the identifier, as previously they were using python-requests.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

If you have a proxy, then how are they able to POST to your server?
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

halfgaar wrote:If you have a proxy, then how are they able to POST to your server?
They're not. Those logs are from the proxy. The server never sees them at all.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

In that case I'm curious how they found your proxy. My proxy only has our own activity in the logs.
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

halfgaar wrote:In that case I'm curious how they found your proxy. My proxy only has our own activity in the logs.
My theory is via IMAPS. Because I still have that exposed and it identifies itself as Zimbra. That's remaining thing I haven't yet figured out how to isolate.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

If the proxy is on another IP address, it should be impossible to detect its presence if you take a few precautions:
  • Don't make it respond on the default virtual host on the webserver i.e. when you probe it's IP address.
  • Don't support AXFR (zone transfer) on your domain name, lest you expose all your records, including things like webproxy.yourdomain.com.
But even when you don't do that, having a HTTP password on the proxy should prevent scanners from identifying it as Zimbra. There's still a missing piece of the puzzle.

On a side note: I use ipset+iptables to load files from https://www.ipdeny.com/ to block some IMAP access. One could even do it on an allow-list basis, if you know where your user base is. It's a bit on the 'security through obscurity' spectrum, but I liked experimenting with it. Warning: it takes special care to not create firewall load errors on server boot, because these IP sets needed to loaded first.
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

BradC wrote:
halfgaar wrote:In that case I'm curious how they found your proxy. My proxy only has our own activity in the logs.
My theory is via IMAPS. Because I still have that exposed and it identifies itself as Zimbra. That's remaining thing I haven't yet figured out how to isolate.
I've just modified the conf/nginx/templates/nginx.conf.mail.template to report something else. Let's see if that settles things down.
halfgaar wrote:If the proxy is on another IP address, it should be impossible to detect its presence if you take a few precautions:
  • Don't make it respond on the default virtual host on the webserver i.e. when you probe it's IP address.
  • Don't support AXFR (zone transfer) on your domain name, lest you expose all your records, including things like webproxy.yourdomain.com.
I already do those things, and they reduced the probes from > 20 / day to maybe once a week.
Post Reply