CVE-2022-3569 ZCS has a local privilege escalation vulnerability in versions 9.0.0 and prior, where the 'zimbra' user can coerce postfix into running arbitrary commands as 'root'.

This may lead to local privilege escalation, as well as potentially exposing system vulnerabilities if postfix is configured to run custom-made daemons. This issue has been resolved in version 9.0.1 by changing the sudo privileges for the 'zimbra' user to be more restrictive. When upgrading from version 8.x or earlier, it is recommended that you set 'zimbra' to be a 'non-privileged' user during the installation process, to prevent this issue from occurring. To do so, edit the '/etc/sudoers.d/zimbra' file and change the following line from 'zimbra ALL = (root) NOPASSWD: /etc/rc.d/init.d/zimbra_mgt' to 'zimbra ALL = NOPASSWD: /etc/rc.d/init.d/zimbra_mgt' . Note that it is important that 'zimbra' be a non-root user, as postfix will run as 'root' if it is.

CVE-2002-2776

This vulnerability is due to a flaw in the postfix configuration. If a valid request is sent to the /proc/pid/cmdline or other system file, it will be returned without any filtering or sanitization. The issue has been resolved by changing the process of running these commands, so that they are run using a more restrictive set of privileges. This can be done by editing '/etc/default/postfix' and changing 'DISABLE_POSTCHMOD=true' to 'DISABLE_POSTCHMOD=false'. It is important that this change be made before upgrading from version 8.x or earlier to prevent this issue from occurring.

CVE-2006-5411

This may lead to local privilege escalation, as well as potentially exposing system vulnerabilities if postfix is configured to run custom-made daemons. This issue has been resolved in version 9.0.1 by changing the sudo privileges for the 'zimbra' user to be more restrictive. When upgrading from version 8.x or earlier, it is recommended that you set 'zimbra' to be a 'non-privileged' user during the installation process, to prevent this issue from occurring. To do so, edit the '/etc/sudoers.d/zimbra' file and change the following line from 'zimbra ALL = (root) NOPASSWD: /usr/sbin/postalias' to 'zimbra ALL = NOPASSWD: /usr/sbin/postalias' . Note that it is important that 'zimbra' be a non-root user, as postfix will run as 'root' if it is.

CVE-2023-3571

This issue has been resolved in version 9.0.1 by changing the default 'su' password to be more secure.

References https://wiki.debian.org/Zimbra

http://www.zimbra.com/security-updates

Timeline

Published on: 10/17/2022 23:15:00 UTC
Last modified on: 10/20/2022 14:27:00 UTC

References

• https://github.com/rapid7/metasploit-framework/pull/17141
• https://twitter.com/ldsopreload/status/1580539318879547392
• http://packetstormsecurity.com/files/169430/Zimbra-Privilege-Escalation.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3569