[Users] Last security patch

[Info Zeta Alliance]

The theory here 
https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html


Is to have the Zimbra application make requests to itself via the proxy
servlet, bypassing a firewall filter for port 7071 and memcached.


If tint0 exploits work, than a port based firewall does not filter it.

However the IMAP one, is already patched right.

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3

This is actually why one wants to have automatic upgrades, that also
restart services if needed.


Kind regards, 

Barry de Graaff
Zeta Alliance 
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

Signal: +31 617 220 227
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0



Kind regards, 

Barry de Graaff
Zeta Alliance 
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

Signal: +31 617 220 227
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "David Touitou" <david at network-studio.com>
To: "Victor d'Agostino" <d.agostino.victor at gmail.com>
Cc: "users" <users at lists.zetalliance.org>
Sent: Tuesday, 19 March, 2019 12:55:33
Subject: Re: [Users] Last security patch

Hi.

> One of the Zimbra security recommendations is to block incoming memcache
> connection from anywhere else than Zimbra servers.

This was initialy to avoid using Zimbra's memcached for DDoS.
https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/

> Is Zimbra vulnerable if memcache service is filtered by iptables ?

>From my understanding of the blog post, the memcached injection could be done throught ProxyServlet, even it is showned through direct http injection into memcached.

Quoting: "Zimbra has quite a few SSRFs in itself, however there's only one place that suffices both conditions, and it happens to be the all-powerful ProxyServlet earlier."

So it looks like it is vulnerable even if filtered.

David