STARTTLS Plaintext Command Injection

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
eranga
Posts: 22
Joined: Sat Sep 13, 2014 3:20 am

STARTTLS Plaintext Command Injection

Postby eranga » Wed Jun 01, 2016 7:18 am

One server we maintain has zimbra 8.0.7.GA.6021.UBUNTU12.64 version. The customer has done a vulnerability assessment through a third party and they have given a report with following error (Other issues were known for me and I have done the workarounds).

It was observed that the remote mail service allows plaintext command injection while negotiating an encrypted communications channel, when received following responses for respective commands sent in single packets,
Request:
nessus1 STARTTLS\r\nessus2 CAPABILITY\r\n
Response:
The following two responses were received.
nessus1 OK begin TLS negotiation now
nessus2 OK CAPABILITY completed

Request:
STLS\r\nCAPA\r\n
Response:
+OK Begin TLS negotiation
+OK Capability list follows


Their recommend is following

It is recommended to contact the vendor and check for an update considering the following.

-The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a clear text command that is processed after TLS is in place, related to a "plaintext command injection" attack.

-Also Postfix stable release 2.10.0 is available. As of now, Postfix 2.6 is no longer updated.


Are there any resolutions for this?


Uma Shankar
Zimbra Employee
Zimbra Employee
Posts: 40
Joined: Wed Jun 01, 2016 5:01 am

Re: STARTTLS Plaintext Command Injection

Postby Uma Shankar » Wed Jun 01, 2016 2:07 pm

Hi,

Can you please do an upgrade to the latest release of ZCS i.e ZCS 8.6 and apply the patch6.

Postfix has been upgraded to 2.11 in the latest release.

Also, you can trying disabling SSLV2 and SSLV3 on the server and then check.

postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
zmmtactl restart
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Re: STARTTLS Plaintext Command Injection

Postby quanah » Wed Jun 01, 2016 3:06 pm

eranga wrote:
Are there any resolutions for this?


Yes, upgrade to a current release of Zimbra.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
User avatar
ppearl
Zimbra Employee
Zimbra Employee
Posts: 114
Joined: Thu May 15, 2014 7:36 am

Re: STARTTLS Plaintext Command Injection

Postby ppearl » Wed Jun 01, 2016 3:59 pm

quanah wrote:
eranga wrote:Are there any resolutions for this?

Yes, upgrade to a current release of Zimbra.


Definitely upgrade. There are numerous other security related fixes that you're missing out on if you're still on 8.0.7.

You might be interested in keeping an eye on the following:

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 15 guests