Zimbra XXE / SSRF Vulnerability Disclosure

Some of my client who uses Zimbra as their mail server having and issue that related to Zimbra XXE / SSRF Vulnerability Disclosure and within include cavalry – CVE-2016-9924, CVE-2018-20160, CVE-2019-9670. Attacker use this vulnerability to gain access and create malware to mine cryptocurrency.


Some of the anomalies is;

  • Stuck after login in webmail
  • Failed to upload the attachment
  • High CPU usage, and with the suspicious process when already infected

Stuck after login in webmail

This is caused by some of the jsp file have modified by the attacker to gain access to the server. Based on my case the file then not completely loaded on the client side when trying to access the webmail.

Failed to upload the attachment

This is caused due to permission changes on some temporary directory to upload files when the attacker trying to find the writable directory to put their script/miner

High CPU usage, and with the suspicious process when already infected

From my case, i found a a process named as follows;

All the files is stored under /opt/zimbra/log and /opt/zimbra/log/.cache/. The .editorinfo files on picture above contain codes below;

The zmwatch.sh file contains code that use binary file zmwatch

The common charactersitic on this attack is they modified the crontab on zimbra user and used it to download the miner from pastebin.

Solution

To fix this issue, please patch Zimbra to the latest and remove the suspected files. You may have the malware name diffrent from my case such us .ntp .kswapd or the others.

  • Patch the Zimbra
  • Fix the Zimbra permission >
    #/opt/zimbra/libexec/zmfixperms -e -v
  • Fix Zimbra mailboxd permission
    #cd /opt/zimbra/mailboxd
    #find webapps -type d -exec chmod 0755 {} \;
    #find webapps -type f -exec chmod 0644 {} \;
  • Fix the Zimbra Upload dir
    #chown zimbra.zimbra /opt/zimbra/data/tmp
    #chown zimbra.zimbra /opt/zimbra/data/tmp/upload
    #chmod 777 /opt/zimbra/data/tmp
    #chmod 750 /opt/zimbra/data/tmp/upload; Then restart zimbra service
  • Rebuild the crontab

The most valid ways is to backup and rebuild your zimbra using latest version..

Reference

https://blog.zimbra.com/2019/05/9826/

https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html?m=1


https://lorenzo.mile.si/zimbra-cve-2019-9670-being-actively-exploited-how-to-clean-the-zmcat-infection/961/

https://forums.zimbra.org/viewtopic.php?f=15&t=66213#p290497

(1) Comments

Leave a Reply