Zimbra Security Update

[BradC]

Applying the patch 35 update seems to also install OpenSSL 3.0.9 ?? which then breaks zmcertmgr

There's a manual patch (provided by the guys at zextras) but when will Synacor push out an update that fixes this as auto renewal/SSL updates are currently failing

By "patch 35" I assume you're referring to v9.0.0. I've just updated certs on 2 test v9-ne systems with P35 applied and not had an issue. When you say "breaks zmcertmgr" can you be a bit more specific?

[barrydegraaff]

Do you know if this was discovered in the 'wild' or from audits?
If the former, are there any known mailbox.log entries to confirm an exploit attempt?
Thanks

As far as we know it was not exploited in the wild.

[dlittle90210]

I'm only seeing 8.8.15.p40 on zm-build and I need to install a source build to patch my server. Does anyone know if p41 and p42 are included in the 8.8.15.p40 tag for the FOSS version?

[gabrieles]

If the former, are there any known mailbox.log entries to confirm an exploit attempt?

An official violation check with evidence to bring (logs? files?) is being required from many customers.
INB4, "vulnerability has not been exploited because is not public" is not the answer.

[halfgaar]

I could place a 'grep' command on the proper logs here and ask everybody to run it, so we can check whether this is tried in the wild, but then I suppose my post will be deleted again...

[phoenix]

I could place a 'grep' command on the proper logs here and ask everybody to run it, so we can check whether this is tried in the wild, but then I suppose my post will be deleted again...

I think that would be an excellent idea. When was your post deleted? I don't remember seeing it.

[halfgaar]

Friday, august 25th. I commented on it here: viewtopic.php?p=310673#p310673

Hackers by now surely will have examined the patches, so I really think deleting the post would be counter-productive, so here goes:

Code: Select all

grep --fixed-strings --ignore-case hostedlogin /opt/zimbra/log/access_log*

I call upon all Zimbra admins to run this and report hits.

Disclaimer: I did not try calling the actual exploitable files, just dummies I put in place for this test, so see in which log the request show up.

[phoenix]

Thanks for reposting your 'srcipt', I ran it and it produced no results.

[ghen]

We've been watching the logs as well for this string and saw no occurances so far (apart from our own tests).

[gabrieles]

Ok, if talking about it is somewhat permitted I would like to share this detail:

When we received the "delete these 3 files" workaround, we first checked if these file existed.
We found them existing on every production environment, but NOT on the test environments: on the test envs only the first existed (it's on the base package).
We tried to call the first of the files, the only one reachable under public, and we found that the request generates the other two files, the ones under jetty/work.
This explicit request leaves a trace on the nginx.access.log, easily greppable with

Code: Select all

grep --fixed-strings --ignore-case hostedlogin /opt/zimbra/log/access_log*

So we supposed that the existence of the second and third files is subordinate to a request of the first one.
But on the production environments, all the three files have been found, and no evidence on the logs of that request.
We store over a year of logs, and checked all of them.

Are we looking in the wrong place? Can someone point us in the right direction?