[Users] SpamAssassin Security Vulnerability

Randy Leiker randy at skywaynetworks.com
Sat Apr 10 21:06:37 CEST 2021


To follow-up on my earlier March 30th email below, Zimbra now has an updated version of SpamAssassin available (3.4.5) in the repos that resolves this security vulnerability. For the Zimbra 8.8.15 servers I manage, the fix appears to be contained in these packages: 

zimbra-mta-components: 1.0.12-1 
zimbra-perl-mail-spamassassin: 3.4.5-1 
zimbra-spamassassin-rules: 1.0.0-1 

These updated packages should only need to be installed on your Zimbra server(s) where Postfix is running. It is not clear if a "zmcontrol restart" as the Zimbra user is required post update, but it would be wise, to ensure that any changes go in to effect. 

Also, if you earlier disabled the " antispam_enable_rule_updates" zmlocalconfig setting to mitigate the risk while awaiting a patch, do not forget to re-enable this setting again, after you have your SpamAssassin version updated to 3.4.5. 

Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 

From: "randy" <randy at skywaynetworks.com> 
To: "users" <users at lists.zetalliance.org> 
Sent: Tuesday, March 30, 2021 2:02:25 PM 
Subject: [Users] SpamAssassin Security Vulnerability 

Hi Everyone, 

I just wanted to give you a heads-up on a security vulnerability in SpamAssassin that was publicly disclosed a couple of days ago. It scores a CVSS score of 9.8 out of 10, so it is significant: [ https://nvd.nist.gov/vuln/detail/CVE-2020-1946 | https://nvd.nist.gov/vuln/detail/CVE-2020-1946 ] 

Zimbra includes an integrated version of SpamAssassin (SA), so it will require a Zimbra patch from Synacor to properly fix. But, if you have external mail filtering gateways that sit in front of Zimbra that use SA, you will want to consider patching this vulnerability during your next earliest maintenance window. It was discussed on today's Zeta Alliance Call, and John Hurley, head of support at Zimbra, is going to bring this topic up in an internal meeting to discuss their response plan. I suspect Zimbra will need to do an out-of-band patch in early April to mitigate this vulnerability since 9.0 Patch 13 and 8.8.15 Patch 20 are scheduled to be released around mid-week, so there will not be enough time to include this fix in these finalized patches. 

In brief, a security researcher discovered that versions of SA prior to 3.4.5 trusts filtering rules (.cf files) too much, thereby allowing an attacker to insert rules for distribution to SA users that will execute system commands without indication that an exploit has taken place. It is essentially a supply chain attack similar to what has been widely reported in the media with the evolving Solar Winds incident and the proof of concept attacks involving the npm & PyPi repos ( [ https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/ | https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/ ] ). In the days since the public disclosure of this vulnerability, attackers are likely hard at work identifying commonly used SA rule repos that they can alter in an attempt to carry out widespread breaches. 

As a temporary mitigation, if you do not have the ability to patch SA on your external mail gateways, or while awaiting a patch for the vulnerability from Zimbra, you could temporarily disable SA rule updates. In Zimbra SA updates can be disabled using the "antispam_enable_rule_updates" parameter detailed here: [ https://wiki.zimbra.com/wiki/Anti-spam_Strategies | https://wiki.zimbra.com/wiki/Anti-spam_Strategies ] . Of course, this comes with the downside of potentially reducing the effectiveness of SA as new spamming campaigns appear. 

Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20210410/f038f33b/attachment.html>

More information about the Users mailing list