Zimbra

Hubert · #1 (**permalink**) 06-26-2009, 07:48 AM

I would like to disclose a vulnerability I discovered in Zimbra which needs to be patched urgently.

4.5, 5.0.16GA and 6 Beta 2 are all affected.

The initial response from support@zimbra.com has been unhelpful and I do not want to report this on your public bugtracker.

Please contact me at hubert at itsecurity.net

zombiewithamasseffect · #2 (**permalink**) 06-26-2009, 10:01 AM

I commend you for trying to handle this in a responsible manner.

Hubert · #3 (**permalink**) 06-26-2009, 11:42 AM

I have done some more research on this with a colleague and the issue is highly critical.

If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.

As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.

Still waiting to be contacted by Zimbra...

uxbod · #4 (**permalink**) 06-26-2009, 11:55 AM

I have moderated this post until one of the employees respond; this is for the safety on the community.

quanah · #5 (**permalink**) 06-26-2009, 12:08 PM

Quote:

Originally Posted by uxbod

I have moderated this post until one of the employees respond; this is for the safety on the community.

I'm trying to get the details offline.

--Quanah

raj · #6 (**permalink**) 06-26-2009, 12:25 PM

http://itsecurity.net
dont open..is this for real?

Raj

p24t · #7 (**permalink**) 06-26-2009, 01:15 PM

itsecurity.net doesn't resolve. It is the MX record for the domain, so if he's expecting someone to email him, he's not going to get it.

Hubert · #8 (**permalink**) 06-26-2009, 05:11 PM

My domain should be working again now (it has nothing about this bug on it at this time).

Yes it's real, Zimbra have confirmed the issues and are working on a patch.

jholder · #9 (**permalink**) 07-01-2009, 02:12 AM

I'm re moderating this post. We have been in contact with the reporter, and are actively investigating and patching the issue.

Once we announce it, this thread will be republished.

sgruby · #10 (**permalink**) 07-01-2009, 07:26 PM

I received email apparently from support@zimbra.com indicating that all current versions of Zimbra have a security vulnerability. The email had instructions and a download link for a patch. Problem is, the email was sent through a mailing list company and I can't verify that Zimbra sent it. Second, there is no reference (that I can find) in the forums or web site about this.

There is no way I'm installing this without something on the web site.

Is this a forgery or does Zimbra not have a clue how to alert their users?

Zimbra

Downloads

Product Information

Toolbox

Why Join?