[Users] SpamAssassin Security Vulnerability
Randy Leiker
randy at skywaynetworks.com
Tue Mar 30 21:02:25 CEST 2021
Hi Everyone,
I just wanted to give you a heads-up on a security vulnerability in SpamAssassin that was publicly disclosed a couple of days ago. It scores a CVSS score of 9.8 out of 10, so it is significant: [ https://nvd.nist.gov/vuln/detail/CVE-2020-1946 | https://nvd.nist.gov/vuln/detail/CVE-2020-1946 ]
Zimbra includes an integrated version of SpamAssassin (SA), so it will require a Zimbra patch from Synacor to properly fix. But, if you have external mail filtering gateways that sit in front of Zimbra that use SA, you will want to consider patching this vulnerability during your next earliest maintenance window. It was discussed on today's Zeta Alliance Call, and John Hurley, head of support at Zimbra, is going to bring this topic up in an internal meeting to discuss their response plan. I suspect Zimbra will need to do an out-of-band patch in early April to mitigate this vulnerability since 9.0 Patch 13 and 8.8.15 Patch 20 are scheduled to be released around mid-week, so there will not be enough time to include this fix in these finalized patches.
In brief, a security researcher discovered that versions of SA prior to 3.4.5 trusts filtering rules (.cf files) too much, thereby allowing an attacker to insert rules for distribution to SA users that will execute system commands without indication that an exploit has taken place. It is essentially a supply chain attack similar to what has been widely reported in the media with the evolving Solar Winds incident and the proof of concept attacks involving the npm & PyPi repos ( [ https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/ | https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/ ] ). In the days since the public disclosure of this vulnerability, attackers are likely hard at work identifying commonly used SA rule repos that they can alter in an attempt to carry out widespread breaches.
As a temporary mitigation, if you do not have the ability to patch SA on your external mail gateways, or while awaiting a patch for the vulnerability from Zimbra, you could temporarily disable SA rule updates. In Zimbra SA updates can be disabled using the "antispam_enable_rule_updates" parameter detailed here: [ https://wiki.zimbra.com/wiki/Anti-spam_Strategies | https://wiki.zimbra.com/wiki/Anti-spam_Strategies ] . Of course, this comes with the downside of potentially reducing the effectiveness of SA as new spamming campaigns appear.
Randy Leiker ( randy at skywaynetworks.com )
Skyway Networks, LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20210330/40e8fcb8/attachment.html>
More information about the Users
mailing list