Guard against Zimbra

Zyxel_Forum_Admin

CVE-2019-9670

Vulnerable Zimbra from 8.5 to 8.7.11

Mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.

Impact:

This vulnerability could allow an attacker to RCE on an affected Zimbra system. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the Zimbra account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the zimbra credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the Client Upload servlet is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host.

Mitigation (On Host Device):

For hosts:

Zimbra customers running versions of 8.8 must upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3

Zimbra customers running the long term support version (LTS) 8.7.11 must upgrade to 8.7.11 Patch 10

Zimbra Customers running 8.6 must upgrade to 8.6 Patch 13

Mitigation (On Network):
Zyxel ZyWALL USG/ATP serial firewall uses its IDP security features to block the network attacks.

Update to the latest version of IDP signature and then enable the IDP function to protect your host.
Revision history 2019-11-21: Initial release