Mitigate against user enumeration vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Mitigate against user enumeration vulnerability

Postby 10119metux » Wed Aug 29, 2012 1:44 pm

Hi folks,
as some of you might already know, ZCS 7 is vulnerable against user enumeration attacks:
In short terms:
It's possible - without any prior authentication - to probe whether certain user exists via soap calls.

ZCS will tell you whether that user exists, and for an existing one it also tells you the internal UID,

which is also used for auth token generation. (so the cleartext of the hmac-encrypted auth-tokens

are easily predictable).
In general, all requests should be denied for unauthenticated users (except the login, of course ;-)).
Needless to mention that this is a serious security problem, but Zimbra upstream has scheduled

this bug for Zimbra 9 (probably released in several years), so we need at least some migitation

against that.
Does anyone have an idea how to solve this problem ?


One option would be forking the source and fixing it there on our own, dropping NE completely,

but I'd like to explore other options first, before we're going that step.


david24uk
Posts: 1
Joined: Sat Sep 13, 2014 2:52 am

Mitigate against user enumeration vulnerability

Postby david24uk » Wed Aug 29, 2012 6:36 pm

In reality how serious are enumeration attacks though?


[QUOTE]It's possible - without any prior authentication - to probe whether certain user exists via soap calls.

ZCS will tell you whether that user exists, and for an existing one it also tells you the internal UID,

which is also used for auth token generation. Especially with online shop using any ecommerce website builder (so the cleartext of the hmac-encrypted auth-tokens

are easily predictable).[/QUOTE]
Brad_C
Advanced member
Advanced member
Posts: 106
Joined: Sat Sep 13, 2014 2:33 am

Mitigate against user enumeration vulnerability

Postby Brad_C » Wed Aug 29, 2012 9:26 pm

[quote user="david24uk"]In reality how serious are enumeration attacks though?[/QUOTE]
Once you have verified the correct login for a user, it's trivial then to start the dictionary attacks.
It's a hole worthy of some attention now rather than later.
Until its fixed I suppose I have to force all my clients to connect to the zimbra server over their vpn and block off the world facing port 443.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 920
Joined: Sat Sep 13, 2014 12:47 am

Mitigate against user enumeration vulnerability

Postby liverpoolfcfan » Thu Aug 30, 2012 5:48 am

What is the bugzilla number ? More votes would likely get the issue promoted to an earlier fix target.
ypong
Advanced member
Advanced member
Posts: 66
Joined: Sat Sep 13, 2014 12:03 am

Mitigate against user enumeration vulnerability

Postby ypong » Thu Aug 30, 2012 10:27 pm

[quote user="Brad_C"]Once you have verified the correct login for a user, it's trivial then to start the dictionary attacks.
It's a hole worthy of some attention now rather than later.
Until its fixed I suppose I have to force all my clients to connect to the zimbra server over their vpn and block off the world facing port 443. [/QUOTE]
Wouldn't the lockout policy, if enabled, mitigate this? e.g. more than 10 failed logins in an hour would move the account's status to lockout.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 8 guests