Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by phoenix »

coco6612001 wrote:is it still urgent to address this bug?
Yes, and you should always keep your software up to date.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
jeremywatco
Posts: 18
Joined: Sat Sep 13, 2014 3:52 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by jeremywatco »

One of my unpatched servers was comprised by this. What triggered was CPU usage as they had a crypto miner running taking up all the CPU.

Anyways...

I've since patched all Zimbra servers we have. What's the best way to cleanup the server that was in fact breached? I'd like to just load up a new zimbra server and move over the config & mailstore but I can't find any docs that cover this. All docs show backing up entire zimbra structure.. installing new server and then overwriting with old data... I don't want to do that since my jetty folder is full of all sorts of random .jsp pages.

Thoughts? If my other servers all ONLY have the correct .jsp files on them can I be safe in thinking those servers have not been compromised?
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by ghen »

The nginx mitigation that was proposed in this thread is now documented on the Zimbra wiki.

For those holding off Patch 33 because of the e-mail display regression, be sure to apply this mitigation in the meantime.
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by axslingr »

jeremywatco wrote: I've since patched all Zimbra servers we have. What's the best way to cleanup the server that was in fact breached? I'd like to just load up a new zimbra server and move over the config & mailstore but I can't find any docs that cover this. All docs show backing up entire zimbra structure.. installing new server and then overwriting with old data... I don't want to do that since my jetty folder is full of all sorts of random .jsp pages.
Follow this and delete any files that shouldn't be there.
https://wiki.zimbra.com/wiki/Default_Fi ... lic_Folder
glenndm
Advanced member
Advanced member
Posts: 125
Joined: Fri Sep 12, 2014 10:35 pm
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by glenndm »

Hi all,

My server has been compromised by this vulnerability.

I had just updated zimbra to patch p33, I think last week ± aug 20th
At the time, a backup had apparently filled the system disk causing slow zimbra function.
it was not a backup I knew, nor did it use the regular backup location (hence filling up the system disk)

While solving the disk space issue, I updated zimbra to the latest patch
zimbra resumed normal operation.

that backup now seems part of the infection/intrusion - dated presumed aug 18th
the webshells were already present before the patch, but dormant till this morning?

Cleanup:
- cleaned the webapps public folders of zimbra cfr https://wiki.zimbra.com/wiki/Default_Fi ... lic_Folder
folder /opt/zimbra/mailboxd/webapps/zimbra/public
- cleaned the webapps public folders of zimbraAdmin
jsp files and databackup.sh
- cleaned zimbra crontab
this was filled with wget entries to http:// 122 181 174 44:8888/admin/index.php

still to do:
- recreate zimbra crontab <<< this is now empty
can anyone point me to the correct content of the zimbra crontab ? (8.8.15)

best regards
glenn
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by Klug »

glenndm wrote:still to do:
- recreate zimbra crontab <<< this is now empty
can anyone point me to the correct content of the zimbra crontab ? (8.8.15)
https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
glenndm
Advanced member
Advanced member
Posts: 125
Joined: Fri Sep 12, 2014 10:35 pm
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by glenndm »

Klug wrote:
glenndm wrote:still to do:
- recreate zimbra crontab
https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
Thanks Klug, crontab has been restored as well
randomizedname
Posts: 7
Joined: Fri Jul 20, 2018 9:22 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by randomizedname »

After spending hours cleaning after this malware I've sat auditctl to have better sight at jsp files. I'm testing it on my 2 zimbra servers.

Code: Select all

-w /opt/zimbra/mailboxd/webapps/ -p w -k zimbra_jsp
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbraAdmin/WEB-INF/ -k exclude_dir
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimlet/WEB-INF/ -k exclude_dir2
-a never,exclude -F dir=/opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/ -k exclude_dir3

twiggers
Posts: 7
Joined: Thu Aug 18, 2022 4:39 am

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by twiggers »

Hey all,

How has your luck been keeping people out?

I removed all JSP files (did not find any SH or anything else). Updated 9.0 to patch 28 and blocked some of the ips calling (i know that's a temp thing).

After a few days I see a new jsp dropped in. I know once they are in, it could be anywhere. But are there anything I could have missed that was obvious?
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Security Update: Authentication Bypass in MailboxImportServlet vulnerability

Post by halfgaar »

twiggers wrote:Hey all,

How has your luck been keeping people out?
100% success rate, because I only allow access on the HTTPs port through a password protected proxy. And this is only one example. There are other ways, of course.

I know I'm a bit of a broken record, but not having the HTTPs port open should really be the mantra. It's proven necessary on various occasions.
Post Reply