CVE-2019-9670 being actively exploited

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yeeP6rai
Posts: 15
Joined: Mon Feb 12, 2018 10:16 am

Re: CVE-2019-9670 being actively exploited

Postby yeeP6rai » Tue Apr 09, 2019 8:46 pm

maxxer wrote:
yeeP6rai wrote:Yes... Thanks

along with them I found also some .class files with the same basename of .java

I found too .class files)


srekkas
Posts: 1
Joined: Thu Apr 11, 2019 9:28 am

Re: CVE-2019-9670 being actively exploited

Postby srekkas » Thu Apr 11, 2019 9:30 am

What about these files

140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java
User avatar
maxxer
Advanced member
Advanced member
Posts: 136
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby maxxer » Fri Apr 12, 2019 2:41 am

srekkas wrote:What about these files

I don't know if they're original zimbra files or not, but I think so.

Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't recall if the discussion went on, I found way to do that for Ubuntu and RHEL.

For the first

Code: Select all

apt install debsums
dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c


for the latter

Code: Select all

rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'


They list all the changed files form the originally installed content. Some changes are legit, but there are changed files which remains unknown to me. Like the _public ones above. On Ubuntu the output is shorter, while on RHEL (8.6) I get really a lot of files (js, zgz, properties...). Wondering if it's really useful
yeeP6rai
Posts: 15
Joined: Mon Feb 12, 2018 10:16 am

Re: CVE-2019-9670 being actively exploited

Postby yeeP6rai » Fri Apr 12, 2019 7:51 pm

maxxer wrote:

Code: Select all

rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
l

some correction

Code: Select all

rpm -qa "zimbra*" | xargs rpm -qV - | egrep -E '^.{2}5'

Output codes:
S = File size changed
M = File mode changed
5 = MD5 checksum changed
L = Symlink changed
U = Owner changed
G = Group changed
T = Modification time changed
c = it is a configuration file that has changed
missing = file is gone.
Jgarcia
Posts: 1
Joined: Fri Apr 12, 2019 6:28 pm

Re: CVE-2019-9670 being actively exploited

Postby Jgarcia » Fri Apr 12, 2019 11:02 pm

Hi,

How to know if your server is still vulnerable after apply the patch ?

I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?

Thank you for the information.
kclo2000
Posts: 2
Joined: Wed Apr 10, 2019 4:58 pm

Re: CVE-2019-9670 being actively exploited

Postby kclo2000 » Sun Apr 14, 2019 7:21 am

Other than apply patch, any workaround which can apply to platform.

Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?
halfgaar
Advanced member
Advanced member
Posts: 82
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Release 8.8.12.GA.3794.UBUNTU16.64

Re: CVE-2019-9670 being actively exploited

Postby halfgaar » Sun Apr 21, 2019 11:09 pm

I was looking into the possibility of setting HTTP auth on Nginx. It would have to be such that /dav/ is exempt, because Android carddav and caldav can't work with HTTP logins.

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.

I may also set up an Nginx proxy on another server.

I will post back when I have something useful.
tin
Posts: 11
Joined: Wed Jan 17, 2018 2:32 am

Re: CVE-2019-9670 being actively exploited

Postby tin » Mon Apr 22, 2019 4:42 am

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
phoenix
Ambassador
Ambassador
Posts: 26218
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Postby phoenix » Mon Apr 22, 2019 6:17 am

tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
The second and third posts in this thread have some links in them that give you descriptions of this exploit, you should read them.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
maxxer
Advanced member
Advanced member
Posts: 136
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby maxxer » Mon Apr 22, 2019 6:39 am

tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?


if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something). there are several links in the thread with full history of the exploit, and also Zimbra blog has references

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests