Mitigate CVE-2022-27925 on Nginx

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Mitigate CVE-2022-27925 on Nginx


   KB 24469        Last updated on 2022-08-23  




0.00
(0 votes)

Problem

ZCS versions before 8.8.15 Patch 31 and 9.0.0 Patch 24 are vulnerable to "CVE-2022-27925".


Accessing the following URL returns "500 Server Error", however the request succeeds on un-patched systems.

curl https://mail.example.com/service/extension/backup/mboximport

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500 Server Error</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /service/extension/backup/mboximport. Reason:
<pre>Server Error</pre></p>
</body>
</html>


Solution

To mitigate this, Nginx templates on proxy servers have to modified.


1) Take a backup of current templates directory "/opt/zimbra/conf/nginx/templates".

sudo cp -pvr /opt/zimbra/conf/nginx/templates /opt/zimbra/conf/nginx/templates.`date +%Y%m%d%H%M%S`.bak 


2) Modify the admin templates by adding the following location block just before the end of the server block.

Admin template files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
-------------------
    location ^~ /service/extension/backup/mboximport
    {
        return 404;
    }
-------------------


The following screenshots show the entries before and after modification.

Default entry before modification:
CVE-2022-27925 image1.PNG
After modification:
CVE-2022-27925 image2.PNG


3) Now modify the HTTP and HTTPS templates and add the same new location block at the end before the last "include" line.

HTTP and HTTPS template files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template


Default entry before modification:
CVE-2022-27925 image3.PNG
After modification:
CVE-2022-27925 image4.PNG


4) Restart Proxy and Memcache services.

su - zimbra
zmproxyctl restart
zmmemcachedctl restart 


5) After applying these changes, requests for mboximport returns a 404 Error.

curl https://mail.example.com/service/extension/backup/mboximport

<html>
<head> <title>404 Not Found</title> </head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>


Submitted by: Heera Singh Koranga
Verified Against: Date Created:
Article ID: https://wiki.zimbra.com/index.php?title=Mitigate_CVE-2022-27925_on_Nginx Date Modified: 2022-08-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search