Difference between revisions of "Mitigate CVE-2022-27925 on Nginx"

(Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> = Mitigate CVE-2022-27925 on Nginx = <hr> {{KB|{{WIP}}|{{ZCS 9.0}}|{{ZCS 8.8}}}} <hr> ====Problem==== ZCS...")
 
m
 
Line 12: Line 12:
  
  
Accessing the below webmail URL of a vulnerable system returns a "500 Server Error".  
+
Accessing the following URL returns "500 Server Error", however the request succeeds on un-patched systems.  
 
  <nowiki>curl https://</nowiki><span style="color:red">mail.example.com</span><nowiki>/service/extension/backup/mboximport</nowiki>
 
  <nowiki>curl https://</nowiki><span style="color:red">mail.example.com</span><nowiki>/service/extension/backup/mboximport</nowiki>
 
   
 
   
Line 29: Line 29:
 
====Solution====
 
====Solution====
  
On the old ZCS versions, we have to modify Nginx templates on proxy servers to mitigate "'''CVE-2022-27925"'''.  
+
To mitigate this, Nginx templates on proxy servers have to modified.  
  
  
Line 38: Line 38:
  
  
'''2)'''  Modify both admin templates and the following location block at the end before closing the server block.   
+
'''2)'''  Modify the admin templates by adding the following location block just before the end of the server block.   
 +
 
 +
'''Admin template files''':
 +
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
 +
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
 +
 
 
  -------------------
 
  -------------------
 
     location ^~ /service/extension/backup/mboximport
 
     location ^~ /service/extension/backup/mboximport
Line 46: Line 51:
 
  -------------------
 
  -------------------
  
 
'''Admin template files''':
 
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
 
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
 
  
  
For a better understanding take a look at the following screenshots of the new location block.
+
The following screenshots show the entries before and after modification.
  
 
: '''Default entry before modification:'''
 
: '''Default entry before modification:'''
Line 64: Line 65:
  
  
'''3)'''  Now modify the following HTTP and HTTPS templates, and add the same new location block at the end before the last '''"include"''' line.  
+
'''3)'''  Now modify the HTTP and HTTPS templates and add the same new location block at the end before the last '''"include"''' line.  
  
 
'''HTTP and HTTPS template files:'''  
 
'''HTTP and HTTPS template files:'''  

Latest revision as of 13:08, 23 August 2022

Mitigate CVE-2022-27925 on Nginx


   KB 24469        Last updated on 2022-08-23  




0.00
(0 votes)

Problem

ZCS versions before 8.8.15 Patch 31 and 9.0.0 Patch 24 are vulnerable to "CVE-2022-27925".


Accessing the following URL returns "500 Server Error", however the request succeeds on un-patched systems.

curl https://mail.example.com/service/extension/backup/mboximport

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /service/extension/backup/mboximport. Reason:
<pre>Server Error</pre></p>
</body>
</html>


Solution

To mitigate this, Nginx templates on proxy servers have to modified.


1) Take a backup of current templates directory "/opt/zimbra/conf/nginx/templates".

sudo cp -pvr /opt/zimbra/conf/nginx/templates /opt/zimbra/conf/nginx/templates.`date +%Y%m%d%H%M%S`.bak 


2) Modify the admin templates by adding the following location block just before the end of the server block.

Admin template files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
-------------------
    location ^~ /service/extension/backup/mboximport
    {
        return 404;
    }
-------------------


The following screenshots show the entries before and after modification.

Default entry before modification:
CVE-2022-27925 image1.PNG
After modification:
CVE-2022-27925 image2.PNG


3) Now modify the HTTP and HTTPS templates and add the same new location block at the end before the last "include" line.

HTTP and HTTPS template files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template


Default entry before modification:
CVE-2022-27925 image3.PNG
After modification:
CVE-2022-27925 image4.PNG


4) Restart Proxy and Memcache services.

su - zimbra
zmproxyctl restart
zmmemcachedctl restart 


5) After applying these changes, requests for mboximport returns a 404 Error.

curl https://mail.example.com/service/extension/backup/mboximport

<html>
<head> <title>404 Not Found</title> </head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>


Submitted by: Heera Singh Koranga
Verified Against: Date Created:
Article ID: https://wiki.zimbra.com/index.php?title=Mitigate_CVE-2022-27925_on_Nginx Date Modified: 2022-08-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search