Yes, and you should always keep your software up to date.coco6612001 wrote:is it still urgent to address this bug?
Security Update: Authentication Bypass in MailboxImportServlet vulnerability
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
-
- Posts: 18
- Joined: Sat Sep 13, 2014 3:52 am
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
One of my unpatched servers was comprised by this. What triggered was CPU usage as they had a crypto miner running taking up all the CPU.
Anyways...
I've since patched all Zimbra servers we have. What's the best way to cleanup the server that was in fact breached? I'd like to just load up a new zimbra server and move over the config & mailstore but I can't find any docs that cover this. All docs show backing up entire zimbra structure.. installing new server and then overwriting with old data... I don't want to do that since my jetty folder is full of all sorts of random .jsp pages.
Thoughts? If my other servers all ONLY have the correct .jsp files on them can I be safe in thinking those servers have not been compromised?
Anyways...
I've since patched all Zimbra servers we have. What's the best way to cleanup the server that was in fact breached? I'd like to just load up a new zimbra server and move over the config & mailstore but I can't find any docs that cover this. All docs show backing up entire zimbra structure.. installing new server and then overwriting with old data... I don't want to do that since my jetty folder is full of all sorts of random .jsp pages.
Thoughts? If my other servers all ONLY have the correct .jsp files on them can I be safe in thinking those servers have not been compromised?
-
- Outstanding Member
- Posts: 259
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
The nginx mitigation that was proposed in this thread is now documented on the Zimbra wiki.
For those holding off Patch 33 because of the e-mail display regression, be sure to apply this mitigation in the meantime.
For those holding off Patch 33 because of the e-mail display regression, be sure to apply this mitigation in the meantime.
- axslingr
- Outstanding Member
- Posts: 256
- Joined: Sat Sep 13, 2014 2:20 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
Follow this and delete any files that shouldn't be there.jeremywatco wrote: I've since patched all Zimbra servers we have. What's the best way to cleanup the server that was in fact breached? I'd like to just load up a new zimbra server and move over the config & mailstore but I can't find any docs that cover this. All docs show backing up entire zimbra structure.. installing new server and then overwriting with old data... I don't want to do that since my jetty folder is full of all sorts of random .jsp pages.
https://wiki.zimbra.com/wiki/Default_Fi ... lic_Folder
-
- Advanced member
- Posts: 125
- Joined: Fri Sep 12, 2014 10:35 pm
- ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
Hi all,
My server has been compromised by this vulnerability.
I had just updated zimbra to patch p33, I think last week ± aug 20th
At the time, a backup had apparently filled the system disk causing slow zimbra function.
it was not a backup I knew, nor did it use the regular backup location (hence filling up the system disk)
While solving the disk space issue, I updated zimbra to the latest patch
zimbra resumed normal operation.
that backup now seems part of the infection/intrusion - dated presumed aug 18th
the webshells were already present before the patch, but dormant till this morning?
Cleanup:
- cleaned the webapps public folders of zimbra cfr https://wiki.zimbra.com/wiki/Default_Fi ... lic_Folder
folder /opt/zimbra/mailboxd/webapps/zimbra/public
- cleaned the webapps public folders of zimbraAdmin
jsp files and databackup.sh
- cleaned zimbra crontab
this was filled with wget entries to http:// 122 181 174 44:8888/admin/index.php
still to do:
- recreate zimbra crontab <<< this is now empty
can anyone point me to the correct content of the zimbra crontab ? (8.8.15)
best regards
glenn
My server has been compromised by this vulnerability.
I had just updated zimbra to patch p33, I think last week ± aug 20th
At the time, a backup had apparently filled the system disk causing slow zimbra function.
it was not a backup I knew, nor did it use the regular backup location (hence filling up the system disk)
While solving the disk space issue, I updated zimbra to the latest patch
zimbra resumed normal operation.
that backup now seems part of the infection/intrusion - dated presumed aug 18th
the webshells were already present before the patch, but dormant till this morning?
Cleanup:
- cleaned the webapps public folders of zimbra cfr https://wiki.zimbra.com/wiki/Default_Fi ... lic_Folder
folder /opt/zimbra/mailboxd/webapps/zimbra/public
- cleaned the webapps public folders of zimbraAdmin
jsp files and databackup.sh
- cleaned zimbra crontab
this was filled with wget entries to http:// 122 181 174 44:8888/admin/index.php
still to do:
- recreate zimbra crontab <<< this is now empty
can anyone point me to the correct content of the zimbra crontab ? (8.8.15)
best regards
glenn
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
https://wiki.zimbra.com/wiki/Step_to_re ... imbra_userglenndm wrote:still to do:
- recreate zimbra crontab <<< this is now empty
can anyone point me to the correct content of the zimbra crontab ? (8.8.15)
-
- Advanced member
- Posts: 125
- Joined: Fri Sep 12, 2014 10:35 pm
- ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
Thanks Klug, crontab has been restored as wellKlug wrote:https://wiki.zimbra.com/wiki/Step_to_re ... imbra_userglenndm wrote:still to do:
- recreate zimbra crontab
-
- Posts: 7
- Joined: Fri Jul 20, 2018 9:22 am
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
After spending hours cleaning after this malware I've sat auditctl to have better sight at jsp files. I'm testing it on my 2 zimbra servers.
Code: Select all
-w /opt/zimbra/mailboxd/webapps/ -p w -k zimbra_jsp
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbraAdmin/WEB-INF/ -k exclude_dir
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimlet/WEB-INF/ -k exclude_dir2
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/ -k exclude_dir3
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
Hey all,
How has your luck been keeping people out?
I removed all JSP files (did not find any SH or anything else). Updated 9.0 to patch 28 and blocked some of the ips calling (i know that's a temp thing).
After a few days I see a new jsp dropped in. I know once they are in, it could be anywhere. But are there anything I could have missed that was obvious?
How has your luck been keeping people out?
I removed all JSP files (did not find any SH or anything else). Updated 9.0 to patch 28 and blocked some of the ips calling (i know that's a temp thing).
After a few days I see a new jsp dropped in. I know once they are in, it could be anywhere. But are there anything I could have missed that was obvious?
-
- Advanced member
- Posts: 172
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability
100% success rate, because I only allow access on the HTTPs port through a password protected proxy. And this is only one example. There are other ways, of course.twiggers wrote:Hey all,
How has your luck been keeping people out?
I know I'm a bit of a broken record, but not having the HTTPs port open should really be the mantra. It's proven necessary on various occasions.