[Users] SpamAssassin Security Vulnerability

Omar Mochtar iomarmochtar at gmail.com
Mon Apr 12 12:19:42 CEST 2021


Hi Randy,

Thank you for the information. Honestly I almost miss this important thing.

On Sun, Apr 11, 2021 at 2:07 AM Randy Leiker <randy at skywaynetworks.com>
wrote:

> Everyone,
>
> To follow-up on my earlier March 30th email below, Zimbra now has an
> updated version of SpamAssassin available (3.4.5) in the repos that
> resolves this security vulnerability.  For the Zimbra 8.8.15 servers I
> manage, the fix appears to be contained in these packages:
>
> zimbra-mta-components: 1.0.12-1
> zimbra-mta-patch: 8.8.15.1617770195.p20-1.r7
> zimbra-perl-mail-spamassassin: 3.4.5-1
> zimbra-spamassassin-rules: 1.0.0-1
>
> These updated packages should only need to be installed on your Zimbra
> server(s) where Postfix is running.  It is not clear if a "zmcontrol
> restart" as the Zimbra user is required post update, but it would be wise,
> to ensure that any changes go in to effect.
>
> Also, if you earlier disabled the "antispam_enable_rule_updates"
> zmlocalconfig setting to mitigate the risk while awaiting a patch, do not
> forget to re-enable this setting again, after you have your SpamAssassin
> version updated to 3.4.5.
>
>
> Randy Leiker ( randy at skywaynetworks.com )
> Skyway Networks, LLC
>
>
> ------------------------------
> *From: *"randy" <randy at skywaynetworks.com>
> *To: *"users" <users at lists.zetalliance.org>
> *Sent: *Tuesday, March 30, 2021 2:02:25 PM
> *Subject: *[Users] SpamAssassin Security Vulnerability
>
> Hi Everyone,
>
> I just wanted to give you a heads-up on a security vulnerability in
> SpamAssassin that was publicly disclosed a couple of days ago.  It scores a
> CVSS score of 9.8 out of 10, so it is significant:
> https://nvd.nist.gov/vuln/detail/CVE-2020-1946
>
> Zimbra includes an integrated version of SpamAssassin (SA), so it will
> require a Zimbra patch from Synacor to properly fix.  But, if you have
> external mail filtering gateways that sit in front of Zimbra that use SA,
> you will want to consider patching this vulnerability during your next
> earliest maintenance window.  It was discussed on today's Zeta Alliance
> Call, and John Hurley, head of support at Zimbra, is going to bring this
> topic up in an internal meeting to discuss their response plan.  I suspect
> Zimbra will need to do an out-of-band patch in early April to mitigate this
> vulnerability since 9.0 Patch 13 and 8.8.15 Patch 20 are scheduled to be
> released around mid-week, so there will not be enough time to include this
> fix in these finalized patches.
>
> In brief, a security researcher discovered that versions of SA prior to
> 3.4.5 trusts filtering rules (.cf files) too much, thereby allowing an
> attacker to insert rules for distribution to SA users that will execute
> system commands without indication that an exploit has taken place.  It is
> essentially a supply chain attack similar to what has been widely reported
> in the media with the evolving Solar Winds incident and the proof of
> concept attacks involving the npm & PyPi repos (
> https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/
> ).  In the days since the public disclosure of this vulnerability,
> attackers are likely hard at work identifying commonly used SA rule repos
> that they can alter in an attempt to carry out widespread breaches.
>
> As a temporary mitigation, if you do not have the ability to patch SA on
> your external mail gateways, or while awaiting a patch for the
> vulnerability from Zimbra, you could temporarily disable SA rule updates.
> In Zimbra SA updates can be disabled using the
> "antispam_enable_rule_updates" parameter detailed here:
> https://wiki.zimbra.com/wiki/Anti-spam_Strategies .  Of course, this
> comes with the downside of potentially reducing the effectiveness of SA as
> new spamming campaigns appear.
>
>
> Randy Leiker ( randy at skywaynetworks.com )
> Skyway Networks, LLC
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20210412/d9ec2182/attachment.html>


More information about the Users mailing list