CVE-2019-9670 being actively exploited

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Bittone
Posts: 12
Joined: Mon Sep 05, 2016 4:30 pm

Re: CVE-2019-9670 being actively exploited

Postby Bittone » Fri May 10, 2019 9:20 am

Hi guys,
first of all: many thanks for the contributors to this topic, I was one of the lazy stupids that did not patch in time and got hacked.
Now I have a question: what if the attacker has dumped the whole ldap tree , complete with usernames and passwords?
How strong is password encryption in Zimbra?
Thanks
A.T.


User avatar
gabrieles
Advanced member
Advanced member
Posts: 107
Joined: Tue Feb 14, 2017 9:40 am

Re: CVE-2019-9670 being actively exploited

Postby gabrieles » Fri May 10, 2019 12:09 pm

Bittone wrote:complete with usernames and passwords?

The only cleartext passwords that zimbra stores on a file are those on /opt/zimbra/conf/localconfig.xml. And are the passwords that let access the ldap. And you can change them in no time with zmldappasswd
Passwords are not stored anywhere. Only salted hashes. Having only the hashes is hard (but not impossible) get back the passwords. You have crack it offline, but with distributed tools like john the ripper, it's not so hard.
You have all the time to tell you users to change their pwd.

If you stored a passwords.txt file with zimbra:zimbra rights on /opt/zimbra with all your cleartext passwords, well this could be worse
Bittone
Posts: 12
Joined: Mon Sep 05, 2016 4:30 pm

Re: CVE-2019-9670 being actively exploited

Postby Bittone » Fri May 17, 2019 8:58 am

Hi Gabrieles,
yes I knew that much, my only concern is that I did not find a reference to what hashing algorithm is currently used by Zimbra (8.7.xx).
Thanks you

A.T.
lucadevac
Posts: 7
Joined: Fri May 17, 2019 10:01 am

Re: CVE-2019-9670 being actively exploited

Postby lucadevac » Fri May 17, 2019 10:12 am

Hi all, and thank you for this great thread. Actually we have got some trouble with this CVE.

On an our server (8.7.11) that I have just patched with the latest patch (8.7.11_P11) just right 2 fuc_ing days ago.
Maybe i think that the attacked got me a couple of day before the patch.

We have already cleanup the system and reset all the password, as per your previous indication (like this great post did: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/)
but for a reason that i really can't understand we still get 403 error when we try to access to both frontend and backend (:7071).

Any clue of what could be done in order to debug or fix that problem?
Because from the /opt/zimbra/log i can't get any valid ideas of debugging.

Thank you.
lucadevac
Posts: 7
Joined: Fri May 17, 2019 10:01 am

Re: CVE-2019-9670 being actively exploited

Postby lucadevac » Fri May 17, 2019 12:03 pm

If i login into the administrative interface with the URL:

https://MYDOMAIN:7071/zimbraAdmin/

I can enter into the administrative panel.
But if I try to enter with the URL:

https://MYDOMAIN:7071

or only

https://MYDOMAIN

i always receive 403 error.
Also if, from the administrative area I try to see the mailbox, that open that URL:

https://MYDOMAIN:8443/mail?adminPreAuth=1

this time I get a 404 error.

It's look like something missing from a webserver point of view.
Any clue?
Klug
Elite member
Elite member
Posts: 2352
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby Klug » Fri May 17, 2019 12:10 pm

Are the zimbraPublicService* variables set for your domain(s)?
lucadevac
Posts: 7
Joined: Fri May 17, 2019 10:01 am

Re: CVE-2019-9670 being actively exploited

Postby lucadevac » Fri May 17, 2019 12:26 pm

yes they are:

zmprov mcf zimbraPublicServicePort 443
zmprov mcf zimbraPublicServiceProtocol https
zmprov mcf zimbraPublicServiceHostname MYDOMAIN
Klug
Elite member
Elite member
Posts: 2352
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby Klug » Fri May 17, 2019 1:10 pm

These are domain specific variables, not global.
You should set them for each domain.

zimbraPublicServiceHostname should be a FQDN, something like webmail.mydomain.tld.
lucadevac
Posts: 7
Joined: Fri May 17, 2019 10:01 am

Re: CVE-2019-9670 being actively exploited

Postby lucadevac » Fri May 17, 2019 1:20 pm

Yes MYDOMAIN is something like "mail.MYDOMAIN.COM". so FQDN.

But i can't understand what you mean with "global" set of zimbraPublic* value
Please, can you point me to the right command to do that?

thank you
lucadevac
Posts: 7
Joined: Fri May 17, 2019 10:01 am

Re: CVE-2019-9670 being actively exploited

Postby lucadevac » Fri May 17, 2019 1:26 pm

Because from there (https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached) i see:

This command sets mail.domain.com as the public hostname to be used for access to all domains in the Zimbra directory:
zmprov mcf zimbraPublicServiceHostname mail.domain.com

so it's look like global already. Or not?

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 6 guests