Mitigate CVE-2022-27925 on Nginx: Difference between revisions
(Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> = Mitigate CVE-2022-27925 on Nginx = <hr> {{KB|{{WIP}}|{{ZCS 9.0}}|{{ZCS 8.8}}}} <hr> ====Problem==== ZCS...") |
mNo edit summary |
||
Line 12: | Line 12: | ||
Accessing the | Accessing the following URL returns "500 Server Error", however the request succeeds on un-patched systems. | ||
<nowiki>curl https://</nowiki><span style="color:red">mail.example.com</span><nowiki>/service/extension/backup/mboximport</nowiki> | <nowiki>curl https://</nowiki><span style="color:red">mail.example.com</span><nowiki>/service/extension/backup/mboximport</nowiki> | ||
Line 29: | Line 29: | ||
====Solution==== | ====Solution==== | ||
To mitigate this, Nginx templates on proxy servers have to modified. | |||
Line 38: | Line 38: | ||
'''2)''' Modify | '''2)''' Modify the admin templates by adding the following location block just before the end of the server block. | ||
'''Admin template files''': | |||
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template | |||
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template | |||
------------------- | ------------------- | ||
location ^~ /service/extension/backup/mboximport | location ^~ /service/extension/backup/mboximport | ||
Line 46: | Line 51: | ||
------------------- | ------------------- | ||
The following screenshots show the entries before and after modification. | |||
: '''Default entry before modification:''' | : '''Default entry before modification:''' | ||
Line 64: | Line 65: | ||
'''3)''' Now modify the | '''3)''' Now modify the HTTP and HTTPS templates and add the same new location block at the end before the last '''"include"''' line. | ||
'''HTTP and HTTPS template files:''' | '''HTTP and HTTPS template files:''' |
Latest revision as of 13:08, 23 August 2022
Mitigate CVE-2022-27925 on Nginx
Problem
ZCS versions before 8.8.15 Patch 31 and 9.0.0 Patch 24 are vulnerable to "CVE-2022-27925".
Accessing the following URL returns "500 Server Error", however the request succeeds on un-patched systems.
curl https://mail.example.com/service/extension/backup/mboximport
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /service/extension/backup/mboximport. Reason:
<pre>Server Error</pre></p>
</body>
</html>
Solution
To mitigate this, Nginx templates on proxy servers have to modified.
1) Take a backup of current templates directory "/opt/zimbra/conf/nginx/templates".
sudo cp -pvr /opt/zimbra/conf/nginx/templates /opt/zimbra/conf/nginx/templates.`date +%Y%m%d%H%M%S`.bak
2) Modify the admin templates by adding the following location block just before the end of the server block.
Admin template files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
------------------- location ^~ /service/extension/backup/mboximport { return 404; } -------------------
The following screenshots show the entries before and after modification.
3) Now modify the HTTP and HTTPS templates and add the same new location block at the end before the last "include" line.
HTTP and HTTPS template files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
4) Restart Proxy and Memcache services.
su - zimbra zmproxyctl restart zmmemcachedctl restart
5) After applying these changes, requests for mboximport returns a 404 Error.
curl https://mail.example.com/service/extension/backup/mboximport
<html>
<head> <title>404 Not Found</title> </head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
Submitted by: Heera Singh Koranga |