Zimbra 8.0.2 major security hole?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
ditto
Posts: 15
Joined: Fri Sep 12, 2014 11:46 pm

Zimbra 8.0.2 major security hole?

Postby ditto » Tue Feb 12, 2013 2:54 am

I think I might have discovered a security hole in Zimbra 8.0.2 but I'm not sure how to validate it...
When a user is set to global admin spammers seem to be able to relay spam using zmpost WITHOUT a password. The logs show sasl_method=LOGIN successes but I don't think auth is really happening. I've tried changing the password to a strong 20+ character passwords that has never been used before and literally seconds later spammers are still using the account. There is no way they could brute force it that fast. If I change the password back to the original and disable the global admin on the account it completely stops. I see spammers attempting to use the account repeatedly but auth fails and locks the account at that point. Some details on my setup:
My mail server sits behind a firewall on a private IP and I forward ports 25/143/587/993 to it only. Webmail is forwarded via apache's proxypass.

I require TLS auth to relay mail. The accounts in question use unique strong passwords that exist only for email and are NOT being used for other web accounts.

My admin interface is only available locally, not to the general internet.

I've run zimbra for ~6 years like this with absolutely no issues until upgrading to 8.0.2. It's happened twice since them. Both times it took a few days after adding global admin to a user before spammers found the accounts and started using them. I currently have one global admin setup on a dedicated account with a fake internal only domain. That should be a lot harder for them to figure out but myself and everyone else is in no way safe if this is in fact going on.
Has anyone else seen this? Any ideas how this might be happening if it's not an exploit? Ideas on how to debug this without allowing spammer to relay mail through me and watching?


uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

Zimbra 8.0.2 major security hole?

Postby uxbod » Tue Feb 12, 2013 5:45 am

Could you post an excerpt from mailboxd.log so we can see what is happening please ?
ditto
Posts: 15
Joined: Fri Sep 12, 2014 11:46 pm

Zimbra 8.0.2 major security hole?

Postby ditto » Tue Feb 12, 2013 11:13 am

Do you mean mailbox.log? I don't have a mailboxd.log.
Here is one example of what I see in my logs. Identifying info has been replaced.
mailbox.log (I use my external LDAP server and auth fails):
2013-02-11 16:01:23,369 WARN [qtp1758906091-30430:https://192.168.0.11:7071/service/admin/soap/] [name=myadmin@mydomain.com;ip=192.168.0.11;] account - ldap auth for domain mydomain.com failed, fall back to zimb

ra default auth mechanism

com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for [myadmin@mydomain.com]

ExceptionId:qtp1758906091-30430:https://192.168.0.11:7071/service/admin/soap/:1360616483369:b37fc02faa03907a

Code:account.AUTH_FAILED
/var/log/maillog.log (You can see the message being sent!):
Feb 11 16:01:23 mail postfix/smtpd[18129]: BA5C6123355: client=host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196], sasl_method=LOGIN, sasl_username=myadmin@mydomain.com

Feb 11 16:01:24 mail postfix/cleanup[16987]: BA5C6123355: message-id=

Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: from=, size=3427, nrcpt=1 (queue active)

Feb 11 16:01:24 mail postfix/smtpd[18350]: connect from localhost[127.0.0.1]

Feb 11 16:01:24 mail postfix/smtpd[18350]: 79A9E12335C: client=localhost[127.0.0.1]

Feb 11 16:01:24 mail postfix/cleanup[16987]: 79A9E12335C: message-id=

Feb 11 16:01:24 mail postfix/smtpd[18350]: disconnect from localhost[127.0.0.1]

Feb 11 16:01:24 mail postfix/qmgr[6586]: 79A9E12335C: from=, size=3885, nrcpt=1 (queue active)

Feb 11 16:01:24 mail postfix/smtp[16988]: BA5C6123355: to=, relay=127.0.0.1[127.0.0.1]:10026, delay=0.98, delays=0.84/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10

029): 250 2.0.0 Ok: queued as 79A9E12335C)

Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: removed

Feb 11 16:01:24 mail postfix/smtpd[18129]: disconnect from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]
/var/log/zimbra.log (more detail):
Feb 11 16:01:21 mail postfix/smtpd[18129]: connect from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]

Feb 11 16:01:21 mail postfix/smtpd[18129]: Anonymous TLS connection established from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]: TLSv1 with cipher RC4-MD5 (128/128 bits)

Feb 11 16:01:22 mail saslauthd[6597]: zmauth: authenticating against elected url 'https://mail.internaldomain:7071/service/admin/soap">https://mail.internaldomain:7071/service/admin/soap/' ...

Feb 11 16:01:23 mail zmconfigd[5909]: Fetching All configs

Feb 11 16:01:23 mail zmconfigd[5909]: All configs fetched in 0.03 seconds

Feb 11 16:01:23 mail saslauthd[6597]: zmpost: url='https://mail.internaldomain:7071/service/admin/soap">https://mail.internaldomain:7071/service/admin/soap/' returned buffer->data='http://www.w3.org/2003/05/soap-envelope">

xmlns="urn:zimbra">0_b38989b768e2c04155f8c84a21dd6ce39701b57a_69643d33363a34616437666665342d626138302

d343235662d613033302d6632373035323064323631383b6578703d31333a313336303738393238333337313b76763d313a313b747970653d363a7a696d6272613b172800000serenity
soap:Body>', hti->error=''

Feb 11 16:01:23 mail saslauthd[6597]: auth_zimbra: myadmin@mydomain.com auth OK

Feb 11 16:01:23 mail postfix/smtpd[18129]: NOQUEUE: filter: RCPT from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]: : Sender address triggers FILTER smtp-amavis:[127.0.

0.1]:10026; from= to= proto=ESMTP helo=

Feb 11 16:01:23 mail postfix/smtpd[18129]: BA5C6123355: client=host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196], sasl_method=LOGIN, sasl_username=myadmin@mydomain.com

Feb 11 16:01:24 mail zmconfigd[5909]: Watchdog: service antivirus status is OK.

Feb 11 16:01:24 mail zmconfigd[5909]: All rewrite threads completed in 0.00 sec

Feb 11 16:01:24 mail zmconfigd[5909]: All restarts completed in 0.00 sec

Feb 11 16:01:24 mail postfix/cleanup[16987]: BA5C6123355: message-id=

Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: from=, size=3427, nrcpt=1 (queue active)

Feb 11 16:01:24 mail amavis[1135]: (01135-14) ESMTP:[127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20130211T085440-01135-r3MPZO4L: -> Received: from mail.internaldomain

([127.0.0.1]) by localhost (mail.internaldomain [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for ; Mon, 11 Feb 2013 16:01:24 -0500 (EST)

Feb 11 16:01:24 mail amavis[1135]: (01135-14) Checking: nCmEud-lmNKQ ORIGINATING [82.107.99.196] ->

Feb 11 16:01:24 mail postfix/smtpd[18350]: connect from localhost[127.0.0.1]

Feb 11 16:01:24 mail postfix/smtpd[18350]: 79A9E12335C: client=localhost[127.0.0.1]

Feb 11 16:01:24 mail postfix/cleanup[16987]: 79A9E12335C: message-id=

Feb 11 16:01:24 mail opendkim[6606]: 79A9E12335C: no signing table match for 'myadmin@mydomain.com'

Feb 11 16:01:24 mail postfix/smtpd[18350]: disconnect from localhost[127.0.0.1]

Feb 11 16:01:24 mail postfix/qmgr[6586]: 79A9E12335C: from=, size=3885, nrcpt=1 (queue active)

Feb 11 16:01:24 mail amavis[1135]: (01135-14) FWD from -> ,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10029): 250 2.0.0 Ok: queued as 79A9E12335C

Feb 11 16:01:24 mail amavis[1135]: (01135-14) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [82.107.99.196]:2138 [82.107.99.196] -> , Queue-ID: BA5C6123355, Message-

ID: , mail_id: nCmEud-lmNKQ, Hits: -, size: 3426, queued_as: 79A9E12335C, 136 ms

Feb 11 16:01:24 mail postfix/smtp[16988]: BA5C6123355: to=, relay=127.0.0.1[127.0.0.1]:10026, delay=0.98, delays=0.84/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10

029): 250 2.0.0 Ok: queued as 79A9E12335C)

Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: removed

Feb 11 16:01:24 mail amavis[910]: (00910-06) ESMTP:[127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20130211T111056-00910-QlML1sjL: -> SIZE=3885 BODY=7BIT Received

: from mail.internaldomain ([127.0.0.1]) by localhost (mail.internaldomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Mon, 11 Feb 2013 16:01:24 -0500 (EST)

Feb 11 16:01:24 mail amavis[910]: (00910-06) Checking: vXBO6Cqw32Oa MYNETS [127.0.0.1] ->

Feb 11 16:01:24 mail postfix/smtpd[18129]: disconnect from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]

Feb 11 16:01:25 mail postfix/smtpd[16992]: connect from localhost[127.0.0.1]

Feb 11 16:01:25 mail postfix/smtpd[16992]: 6AE46123355: client=localhost[127.0.0.1]

Feb 11 16:01:25 mail postfix/cleanup[16987]: 6AE46123355: message-id=

Feb 11 16:01:25 mail postfix/smtpd[16992]: disconnect from localhost[127.0.0.1]

Feb 11 16:01:25 mail postfix/qmgr[6586]: 6AE46123355: from=, size=4275, nrcpt=1 (queue active)

Feb 11 16:01:25 mail amavis[910]: (00910-06) FWD from -> ,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6AE46123355

Feb 11 16:01:25 mail amavis[910]: (00910-06) Passed CLEAN {RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:43166 [82.107.99.196] -> , Queue-ID: 79A9E12335C, Message-ID:
KAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>, mail_id: vXBO6Cqw32Oa, Hits: -1.45, size: 3850, queued_as: 6AE46123355, 898 ms

Feb 11 16:01:25 mail postfix/smtp[18352]: 79A9E12335C: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.95, delays=0.05/0/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:100

25): 250 2.0.0 Ok: queued as 6AE46123355)

Feb 11 16:01:25 mail postfix/qmgr[6586]: 79A9E12335C: removed

Feb 11 16:01:26 mail postfix/smtp[18355]: 6AE46123355: to=, relay=fakerelay.com[1.2.3.4]:25, delay=0.68, delays=0.01/0.01/0.14/0.53, dsn=2.0.0, status=sent (250 OK BE/3A-27917-72

C59115)

Feb 11 16:01:26 mail postfix/qmgr[6586]: 6AE46123355: removed
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 943
Joined: Sat Sep 13, 2014 12:47 am

Zimbra 8.0.2 major security hole?

Postby liverpoolfcfan » Tue Feb 12, 2013 4:52 pm

Is it possible that this is the issue ? "account - ldap auth for domain mydomain.com failed, fall back to zimbra default auth mechanism"
Is it possible that the fallback to zimbra auth is accepting no password as none has been set up locally for the users ? Can you disable the local zimbra fallback for authentication ?
ditto
Posts: 15
Joined: Fri Sep 12, 2014 11:46 pm

Zimbra 8.0.2 major security hole?

Postby ditto » Tue Feb 12, 2013 5:56 pm

I have no local users except the dedicated admin account, it's all my external ldap. Also in the webui "If fail, fall back to local password management" is disabled for the domain. Is there some value I can check from the CLI to see if that's actually doing anything?
speno
Advanced member
Advanced member
Posts: 56
Joined: Sat Sep 13, 2014 1:08 am

Zimbra 8.0.2 major security hole?

Postby speno » Wed Feb 13, 2013 7:41 am

It sounds like mail.log, which is generated from postfix. So you should be able to test this yourself directly by telneting to postfix and issuing the commands for authentication to verify the issue you think you see.
I've seen spammers keep their SMTP connections open such that even if you lock a Zimbra account (or change the password), the spam continues to flow as the connection has already been authenticated. Restarting postfix in that case will stop it. That could also be happening in this case.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 943
Joined: Sat Sep 13, 2014 12:47 am

Zimbra 8.0.2 major security hole?

Postby liverpoolfcfan » Thu Feb 21, 2013 5:33 am

I found this KB article over on the VMware site. It seems we now have to search 2 sites to keep up to date ... ugh!
Basically is says that for admins - fallback is always in place - regardless of the fallback configuration setting. It would suggest if your spammer found the originally configured local password for any admin (or none was configured) then they could authenticate. This is exactly the theory I had suggested earlier.
VMware KB: Zimbra user can authenticate with an incorrect external LDAP or AD password
speno
Advanced member
Advanced member
Posts: 56
Joined: Sat Sep 13, 2014 1:08 am

Zimbra 8.0.2 major security hole?

Postby speno » Thu Feb 21, 2013 8:25 am

There's now a patch kit for 8.0.2 and 7.2.2 that is marked as a security fix. No details are given and the bugzilla page is protected. I have no idea if this fixes the issue described here or not.
Network Edition Downloads: Enterprise Messaging and Collaboration Software by Zimbra
ditto
Posts: 15
Joined: Fri Sep 12, 2014 11:46 pm

Zimbra 8.0.2 major security hole?

Postby ditto » Thu Feb 21, 2013 6:50 pm

[quote user="liverpoolfcfan"]I found this KB article over on the VMware site. It seems we now have to search 2 sites to keep up to date ... ugh!
Basically is says that for admins - fallback is always in place - regardless of the fallback configuration setting. It would suggest if your spammer found the originally configured local password for any admin (or none was configured) then they could authenticate. This is exactly the theory I had suggested earlier.
VMware KB: Zimbra user can authenticate with an incorrect external LDAP or AD password[/QUOTE]
That definitely appears to be what's going on. I re-enabled global admim on my user and was able to send mail using the regular password AND an old password for my dedicated admin account! My current dedicated admin account password did not work and neither did a blank password or no auth at all. I've *never* set a local password for my external auth admin. So it seems like it copies that from whatever local admin you happen to use to set it up at that time and never updates it.
I can't think of a single good reason why zimbraAuthFallbackToLocal should ever be ignored for admin accounts. You can't lock yourself out as it's super simple to add a local admin account if/when needed. There's also no way that I can tell to maintain the local password without using the CLI either. Am I missing something here?

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot] and 23 guests