[Users] Last security patch

L Mark Stone lmstone at lmstone.com
Tue Mar 19 13:46:55 CET 2019 

The tint0 article is a little too far above my understanding of programming, but if the article's IMAP exploit is addressed via current patches on 8.7.11 and 8.8.10/11, then all we need to worry about is the memcache issue.

And if I understand the article correctly (not sure I do, so asking here!), if I run:


zmprov gs `zmhostname` zimbraMemcachedClientServerList

on all my nodes and I get nothing in return, then the system is NOT vulnerable to the tint0 memcache exploit.

Is that correct?

Thanks,
Mark

_________________________________________________

Another Message From...   L. Mark Stone


________________________________
From: Users <users-bounces at lists.zetalliance.org> on behalf of Info Zeta Alliance <info at zetalliance.org>
Sent: Tuesday, March 19, 2019 8:12 AM
To: David Touitou
Cc: users
Subject: Re: [Users] Last security patch

The theory here
https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html


Is to have the Zimbra application make requests to itself via the proxy
servlet, bypassing a firewall filter for port 7071 and memcached.


If tint0 exploits work, than a port based firewall does not filter it.

However the IMAP one, is already patched right.

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3

This is actually why one wants to have automatic upgrades, that also
restart services if needed.


Kind regards,

Barry de Graaff
Zeta Alliance
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

Signal: +31 617 220 227
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0



Kind regards,

Barry de Graaff
Zeta Alliance
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

Signal: +31 617 220 227
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "David Touitou" <david at network-studio.com>
To: "Victor d'Agostino" <d.agostino.victor at gmail.com>
Cc: "users" <users at lists.zetalliance.org>
Sent: Tuesday, 19 March, 2019 12:55:33
Subject: Re: [Users] Last security patch

Hi.

> One of the Zimbra security recommendations is to block incoming memcache
> connection from anywhere else than Zimbra servers.

This was initialy to avoid using Zimbra's memcached for DDoS.
https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/

> Is Zimbra vulnerable if memcache service is filtered by iptables ?

>From my understanding of the blog post, the memcached injection could be done throught ProxyServlet, even it is showned through direct http injection into memcached.

Quoting: "Zimbra has quite a few SSRFs in itself, however there's only one place that suffices both conditions, and it happens to be the all-powerful ProxyServlet earlier."

So it looks like it is vulnerable even if filtered.

David

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190319/ebf07d96/attachment.html>

More information about the Users mailing list