Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 82
Joined: Tue Mar 29, 2016 1:36 pm

Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by jeastman »

Hello Zimbra Community,

We have had reports of a security vulnerability which is being actively exploited. Zimbra 8.8.15 patch 33 and Zimbra 9.0.0 patch 26 contain an important security update that fixes an authentication bypass in MailboxImportServlet (CVE-2022-37042 and CVE-2022-27925).

If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible.

Thanks.
John Eastman
khawkins
Posts: 12
Joined: Sat Dec 11, 2021 12:25 am
ZCS/ZD Version: 8.8.15

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by khawkins »

Are there any known indicators of an attempted/successful/unsuccessful exploit of this that you can share? I'm now on p33, but I waited longer than was advisable... p32 left me gun-shy.
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by andras0602 »

Many thanks for the information!
In this case could you escalate this bug further? https://github.com/Zimbra/zm-mailbox/pull/1277
More on the problem here: viewtopic.php?f=13&t=71022&start=4
And I just opened a support case too with the number of 01380475 https://support.zimbra.com/s/detail/5008Z00001yiTvpQAE
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

CVE-2022-37042 isn't even mentioned on the ZImbra Security advisories. So, are there any potential temporary/short-term mitigations that can be applied?
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by GlooM »

BradC wrote:CVE-2022-37042 isn't even mentioned on the ZImbra Security advisories. So, are there any potential temporary/short-term mitigations that can be applied?
I also did not find any mention of this vulnerability. If we talk about CVE-2022-27925, then, as I understand it, it is quite difficult to exploit it.
To exploit the vulnerability, you must be able to import archives into mailboxes (i.e., at least have a valid account). Correct me if I'm wrong.
BradC
Outstanding Member
Outstanding Member
Posts: 265
Joined: Tue May 03, 2016 1:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by BradC »

GlooM wrote:
BradC wrote:CVE-2022-37042 isn't even mentioned on the ZImbra Security advisories. So, are there any potential temporary/short-term mitigations that can be applied?
I also did not find any mention of this vulnerability. If we talk about CVE-2022-27925, then, as I understand it, it is quite difficult to exploit it.
To exploit the vulnerability, you must be able to import archives into mailboxes (i.e., at least have a valid account). Correct me if I'm wrong.
A reference I found to the other vulnerability indicates it's an authentication bypass. Combine that with CVE-2022-27925 and I suppose bad stuff might happen.
jamyles
Posts: 6
Joined: Thu Jul 04, 2019 3:55 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by jamyles »

p33 does not appear to be on repo.zimbra.com, only p32. When will this be updated?
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by Klug »

CVE IDs are not updated in the release notes, here for example: https://wiki.zimbra.com/index.php/Zimbr ... 8.8.15/P33
The same release notes suggest the issue is "medium" while Synacor urges us to upgrade (blog post, forum, etc).

Zimbra Security Advisories page in the wiki is not updated either, as BradC said.
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 82
Joined: Tue Mar 29, 2016 1:36 pm

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by jeastman »

Klug wrote:CVE IDs are not updated in the release notes, here for example: https://wiki.zimbra.com/index.php/Zimbr ... 8.8.15/P33
The same release notes suggest the issue is "medium" while Synacor urges us to upgrade (blog post, forum, etc).

Zimbra Security Advisories page in the wiki is not updated either, as BradC said.
I've been working with the team to get these updated. I had noted the same things. I will make sure that gets done.

Volexity has posted their findings in a new article: https://www.volexity.com/blog/2022/08/1 ... 022-27925/
John Eastman
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by andras0602 »

khawkins wrote:Are there any known indicators of an attempted/successful/unsuccessful exploit of this that you can share? I'm now on p33, but I waited longer than was advisable... p32 left me gun-shy.
check this article https://www.volexity.com/blog/2022/08/1 ... 022-27925/
They even made a Yara rule to find potential webshells, huge thumbs up for them!

I see similar POST requests in my servers access.log :shock:
Unfortunately, my oldest logs are from 13/Jul/2022 and I already see this Vultr owned attacker IP 45.77.77.50 in all my servers. Here is an example:

Code: Select all

access_log.2022-07-13:45.77.77.50 - - [13/Jul/2022:08:51:57 +0000] "POST /service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=true HTTP/1.1" 401 657 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0" 67
access_log.2022-07-13:45.77.77.50 - - [13/Jul/2022:08:53:32 +0000] "POST /service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=true HTTP/1.1" 401 657 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0" 7
The paches have been built a few days later and became available more later on. IMHO it's time for me to put all this java-based thing behind a VPN/firewall/whatever.
Post Reply