Page 10 of 24

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 10, 2019 9:20 am
by Bittone
Hi guys,
first of all: many thanks for the contributors to this topic, I was one of the lazy stupids that did not patch in time and got hacked.
Now I have a question: what if the attacker has dumped the whole ldap tree , complete with usernames and passwords?
How strong is password encryption in Zimbra?
Thanks
A.T.

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 10, 2019 12:09 pm
by gabrieles
Bittone wrote:complete with usernames and passwords?

The only cleartext passwords that zimbra stores on a file are those on /opt/zimbra/conf/localconfig.xml. And are the passwords that let access the ldap. And you can change them in no time with zmldappasswd
Passwords are not stored anywhere. Only salted hashes. Having only the hashes is hard (but not impossible) get back the passwords. You have crack it offline, but with distributed tools like john the ripper, it's not so hard.
You have all the time to tell you users to change their pwd.

If you stored a passwords.txt file with zimbra:zimbra rights on /opt/zimbra with all your cleartext passwords, well this could be worse

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 8:58 am
by Bittone
Hi Gabrieles,
yes I knew that much, my only concern is that I did not find a reference to what hashing algorithm is currently used by Zimbra (8.7.xx).
Thanks you

A.T.

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 10:12 am
by lucadevac
Hi all, and thank you for this great thread. Actually we have got some trouble with this CVE.

On an our server (8.7.11) that I have just patched with the latest patch (8.7.11_P11) just right 2 fuc_ing days ago.
Maybe i think that the attacked got me a couple of day before the patch.

We have already cleanup the system and reset all the password, as per your previous indication (like this great post did: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/)
but for a reason that i really can't understand we still get 403 error when we try to access to both frontend and backend (:7071).

Any clue of what could be done in order to debug or fix that problem?
Because from the /opt/zimbra/log i can't get any valid ideas of debugging.

Thank you.

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 12:03 pm
by lucadevac
If i login into the administrative interface with the URL:

https://MYDOMAIN:7071/zimbraAdmin/

I can enter into the administrative panel.
But if I try to enter with the URL:

https://MYDOMAIN:7071

or only

https://MYDOMAIN

i always receive 403 error.
Also if, from the administrative area I try to see the mailbox, that open that URL:

https://MYDOMAIN:8443/mail?adminPreAuth=1

this time I get a 404 error.

It's look like something missing from a webserver point of view.
Any clue?

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 12:10 pm
by Klug
Are the zimbraPublicService* variables set for your domain(s)?

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 12:26 pm
by lucadevac
yes they are:

zmprov mcf zimbraPublicServicePort 443
zmprov mcf zimbraPublicServiceProtocol https
zmprov mcf zimbraPublicServiceHostname MYDOMAIN

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 1:10 pm
by Klug
These are domain specific variables, not global.
You should set them for each domain.

zimbraPublicServiceHostname should be a FQDN, something like webmail.mydomain.tld.

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 1:20 pm
by lucadevac
Yes MYDOMAIN is something like "mail.MYDOMAIN.COM". so FQDN.

But i can't understand what you mean with "global" set of zimbraPublic* value
Please, can you point me to the right command to do that?

thank you

Re: CVE-2019-9670 being actively exploited

Posted: Fri May 17, 2019 1:26 pm
by lucadevac
Because from there (https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached) i see:

This command sets mail.domain.com as the public hostname to be used for access to all domains in the Zimbra directory:
zmprov mcf zimbraPublicServiceHostname mail.domain.com

so it's look like global already. Or not?