Security Center: Difference between revisions

m (provide generic vuln details for bug 84547)
m (more details about CVE-2013-7217 / Bug 84547)
Line 589: Line 589:
                                 <li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li>
                                 <li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li>
                             </ul>
                             </ul>
                             <p>Bug 84547 is a XXE Vulnerability (Dec 2013):</p>
                             <p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p>
                             <ul>
                             <ul>
                                 <li>Bug 84547: XXE (CWE-611)</li>
                                 <li>Bug 84547: XXE (CWE-611)</li>

Revision as of 20:59, 20 December 2017


Zimbra Security - News & Alerts

Note: A security related FAQ and links to version specific security related settings can be found under Security/Collab.

ZWC affected by Mailsploit

All supported versions of Zimbra Web Client (ZWC) are affected by Mailsploit when zimbraPrefShortEmailAddress is set to TRUE (default).

The workaround is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as bug 108709.

8.7.10 Released with a fix for one vulnerability

The following vulnerabilities were fixed in ZCS 8.7.10:

  • bug 107878 CVE-2017-8783 Persistent XSS - location CWE-79
    Affects: All supported versions before 8.7.10
  • bug 107885 CVE-2017-8783 Persistent XSS - description CWE-79
    Affects: All supported versions before 8.7.10

Thank you to Stephan Kaag of Securify for reporting bug 107878!

8.7.6 Released with fixes for two vulnerabilities

The following vulnerabilities were fixed in ZCS 8.7.6:

  • bug 107712 CVE-2017-6821 Improper limitation of file paths CWE-22
    Affects: All supported versions before 8.7.6
  • bug 107684 CVE-2017-6813 Improper handling of privileges CWE-280
    Affects: ZCS 8.5.0 - 8.7.5

Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)

A fix for a limited capability XXE - CVE-2016-9924 / bug 106811 is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.

A special thanks to Alastair Gray for taking the time to report this issue!

Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)

The details of CVE-2016-3403 / bug 100899 (see also bug 100885) were publicly disclosed by Sysdream Labs on 2017-01-11.

Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on 2016-07-13.

Thank you to Sysdream for your assistance and cooperation!

Ransomware targeting ZCS Servers

Lawrence Abrams of Bleeping Computer has reported that there is a new ransomware variant, written in Python, that is targeting ZCS server data under /opt/zimbra/store/.

At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:

  • Get (and stay) up to date on OS version and patches.
  • Get (and stay) up to date on ZCS version and patches.
  • Ensure servers are properly firewalled (see Ports and only allow access to the minimum number of services that is required to meet your business requirements.
  • Review and compare your system configuration against best practices like the CIS benchmarks.

Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

The 2016-05-03 announcement by OpenSSL regarding a padding oracle in the AES-NI CBC MAC check affects supported releases of ZCS 8.0-8.6.0 (via MTAs and Proxy).

We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in bug 104982. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via package repos.

First, test that you are vulnerable with the following tool:
https://filippo.io/CVE-2016-2107/

  • Edit /opt/zimbra/.bash_profile - add the following to the end of user zimbra's .bash_profile (requires root privs):
    # workaround CVE-2016-2107
    export OPENSSL_ia32cap="~0x200000200000000"
  • Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):
    Defaults env_keep += "OPENSSL_ia32cap"
  • Configure postfix - instructs postfix to honor the desired environment variable:
    $ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'

A special thanks to Malte Stretz from our Gold Partner, Silpion, for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.

In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)

The 2016-03-01 announcement by OpenSSL regarding DROWN via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently supported releases. See How to disable SSLv3, as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in bug 104130.

ZCS 8.6.0 Patch 5 availability

ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: Zimbra Security Advisories). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is rated as major. See the blog post or the release notes (available from the downloads area for additional notes on ZCS 8.6.0 Patch 5.

[Update: Feb 2, 2016]
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.

OpenSSL alternative chains certificate forgery (CVE-2015-1793)

Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.

A note on Logjam

There is a lot of chatter about Logjam - https://weakdh.org today.

At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.

Today we updated the MTA Ciphers section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default (http://www.postfix.org/postconf.5.html#smtp_tls_ciphers) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.

As usual, there are trade-offs involved, but in the light of FREAK (https://freakattack.com) and Logjam (https://weakdh.org) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.

Please visit https://wiki.zimbra.com/wiki/Security/Collab/86 to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen DH params. A sneak preview of security related changes/enhancements in the works is available at https://wiki.zimbra.com/wiki/Security/Collab/87.

Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/


Update for 8.0.x customers: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html

What the FREAK attack means to Zimbra

Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing CVE-2015-0204.

The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, according to Washington Post, is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.

Matthew Green, cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:

A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.

In addition to Matthew Green's post and the Washington Post article, the freakattack.com site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.

Zimbra Specifics

Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.

As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.

GNU C Library Vulnerability — aka GHOST

Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.

Details

The vulnerability appears to have been found by Qualys and disclosed in security advisory CVE 2015-0235. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.

**Recommendation**

Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.

Patches or acknowledgements

GNU C Library's upstream Git
Ubuntu
Debian
Red Hat
CentOS
SUSE

- Phil

Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.

POODLE Revisited

We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.

For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.

Zimbra Collaboration Updates (8.0.9 & 8.5.1)

Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit https://wiki.zimbra.com/wiki/How_to_disable_SSLv3.

Find here extra details on the releases:

And, as always, don't forget to read the release notes.

The Shellshock Flaw

Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog.  Please head over to  https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw  for any updates related to this issue.

Security Advisory: Zimbra Community 8.x Security Vulnerability

Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.

Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.

Affected Versions: 8.0.0.37997 (unpatched), 8.0.1.39116

Vulnerability Scoring: CVSS: 1.4

Obtaining a fix: http://telligent.com/support/m/support/1354746.aspx

Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.

Reporter: Alex Crome (Zimbra)

When does this occur?

1. Creating a user through the control panel using Membership Administration (requires administrative privileges)

2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)

If you have any questions or would like assistance with applying the patch, please contact support.

This advisory was originally published here

Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

On June 5, 2014 the OpenSSL project released a security advisory. CVE-2014-0224 can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.

The impact to Zimbra Collaboration Server is as follows:

  • ZCS 6 is not affected
  • ZCS 7 is not affected
  • ZCS 8 is affected

Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.

If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.

Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:

  • ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
  • ZCA versions 8.0.3 or 8.0.4

The following patch instructions must be done on a per server basis:

  • As zimbra user:
zmcontrol stop
  • As root:
cd /tmp
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
chmod a+rx zmopenssl-updater.sh
./zmopenssl-updater.sh
  • As zimbra user:
zmcontrol start

After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:

openssl version

On an 8.0.7 patched system the result should be:

zimbra$ openssl version
OpenSSL 1.0.1h 5 Jun 2014

Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.

Continue to the next server and repeat the patch process.

Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.

Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability

Overview

Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:

Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.

Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.

The patch is located here:

The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:

  • ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
  • ZCA versions 8.0.3 or 8.0.4

Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.

Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:

  • RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected
  • SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected

Patching

The steps to patch are the following:

(as root)
1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
2) chmod a+rx zmopenssl-updater.sh
3) ./zmopenssl-updater.sh

 ---------------------
 [Generates the following output]
 Downloading patched openssl
 Validating patched openssl: success
 Backing up old openssl: complete
 Installing patched openssl: complete
 OpenSSL patch process complete.
 Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol
 restart
 ---------------------

(as user zimbra)
4) su - zimbra
5) zmcontrol restart[/CODE]

Manual Patching

If you don’t have Internet access, manually installing the patch would require the following steps:

1) Download the appropriate openssl build:

(as root)
cd /tmp
wget the correct version, from this list:

The MD5 files are also available for verification purposes, here:


(as root)
2) cd /opt/zimbra
3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart
4) tar xfz /tmp/openssl-NEWVERSION.tgz

(as user zimbra)
5) su - zimbra
6) zmcontrol restart

Zimbra Collaboration 8.0.7 Builds

Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.

If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:

In short:

OpenSSL Patch Update for ZCS 8.0.3 Only

If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.

Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.

Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")

Please use the test methods below to confirm.

Testing

There are a few ways you can confirm if your system is vulnerable:

1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:

2. If running ZCS 8.0.7, check zmcontrol for the build number:

# su - zimbra
$ zmcontrol -v
Release 8.0.7_GA_6021.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.

3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:

Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
dtls1_heartbeat
$

Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
$


Please let Zimbra know promptly if any problems or questions.

Urgency on Security Fixes for Bug 80338 and Bug 84547

Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation

Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):

There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:

And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:

As noted, there are patches and upgrades available here:

Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.

Welcome to the Zimbra Security Group

Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.


Zimbra Security Center

Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.

"Watch" the Security Center pages to stay updated on Zimbra security related news.

Zimbra Support

Open a new Support Ticket or check your opening ones. For questions on becoming a supported Zimbra customer, please contact us.

Zimbra Product Releases

Go to our Zimbra Product Releases page for details about each release, including:

  • Release Notes
  • Patch Information
  • Documents in PDF format
  • Documents in ePub format
  • Complete Bugzilla reports



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search