Results 1 to 10 of 10

Thread: vulnerability issue

  1. #1
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default vulnerability issue

    Hi,

    Last week our ISM sent me vulnerability report of zimbra server and they found below points which needs to be address..

    1. "Deprecated SSL Protocol Usage - The remote service encrypts traffic using a protocol with known weaknesses"
    2. Weak Supported SSL Ciphers Suites
    3. Web Server Uses Plain Text Authentication Forms
    4. "Remote DNS Resolver Uses Non-Random Ports - The remote name resolver (or the server it uses upstream) may be vulnerable
    to DNS cache poisoning.
    5. LDAP allows null bases


    Please suggest.

    Thanks

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    So do you use self signed SSL certs ? Do you allow only HTTPS for web client connections ? Is LDAP available from outside the firewall ? Did the ISM test from internally or externally ?

  3. #3
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    hi..thanks for quick reply.

    So do you use self signed SSL certs ?

    --> For our other dotcom solution we are using self signed ssl sert but not for zimbra console...for zimbra only using builtin ssl.

    Do you allow only HTTPS for web client connections ?


    --> yes as per architecture team we have to allow only https web client connections.

    Is LDAP available from outside the firewall ?

    ---> zimbra server is behind the firewall..ladap port is not open for external world

    Did the ISM test from internally or externally ?

    --> ISM test has been done internally...

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Built in SSL is a self signed cert .. so if you want stronger encryption purchase certs for your domains.

    If you go to http://<yourzimbraserver> does it automatically redirect too https://<yourzimbraserver> ?

    I would ask your ISM to test from externally aswell

  5. #5
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    hmmmm...ok we will purchase certificate..ya i m sorry for our dotcom solution we purchased certificate.

    no..when i type http its not automatically redirect to https.


    yeap..i know by standard way this testing should be done externally.


    and for last 2 points they have given below solution :


    4. "Remote DNS Resolver Uses Non-Random Ports - The remote name resolver (or the server it uses upstream) may be vulnerable to DNS cache poisoning. ----> Contact your DNS server vendor for a patch
    5. LDAP allows null bases ----> "Disable NULL BASE queries on your LDAP server
    "

    how to do that ...and which dns patch they are talking about..any clue ?

    thanks

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Have you ever ran Wiki :: zmtlsctl to switch too HTTPS only ?

    Do you have DNS installed on your ZCS server ? If so do you apply BIND updates from RedHat ?

  7. #7
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    hi,

    no i never ran zmtlsctl on production but ya on staging i did it on older version but after that i was not able to access web interface..was getting " page can not be display " but after upgrade to 5.0.13 its working ...and today night i thinking to test it on production to get https.

    yes we have configure dns server on zimbra itself and right now it is using below bind packages :

    [root@mail /]# rpm -qa | grep bind
    bind-utils-9.3.3-10.el5
    bind-chroot-9.3.3-10.el5
    bind-9.3.3-10.el5
    bind-libs-9.3.3-10.el5
    ypbind-1.19-8.el5
    [root@mail /]#

    do i need to update it ??

  8. #8
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Yep, as on CentOS5 I am running
    Code:
    bind-utils-9.3.4-6.0.3.P1.el5_2
    bind-9.3.4-6.0.3.P1.el5_2
    bind-chroot-9.3.4-6.0.3.P1.el5_2
    bind-libs-9.3.4-6.0.3.P1.el5_2

  9. #9
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    thanks ...

    Ok I will discuss about ssl and bind update with PL and get it done.

    And what about LDAP ?? or shall i ignore this warning as zimbra is behind the firewall. ..pls suggest..

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Ask IPM for a recommendation on how they would resolve it. Though as your server is behind a firewall then IMHO I have done nothing on my server. You could even setup IP tables on your ZCS server if you really wanted to and protect LDAP from internal probing aswell

Similar Threads

  1. Zimbra desktop and AVG Free 8.0 Issue
    By mannix77 in forum General Questions
    Replies: 6
    Last Post: 09-25-2008, 01:34 PM
  2. Security Vulnerability Alert
    By jholder in forum Announcements
    Replies: 0
    Last Post: 04-21-2007, 02:34 PM
  3. Intermittent issue (issue# 5852) ?
    By nick20 in forum Installation
    Replies: 1
    Last Post: 02-08-2006, 02:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •