Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use 'zmprov' (the correct command name) instead of 'zmprove' (wrong) #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

robert-scheck
Copy link

@robert-scheck robert-scheck commented Jan 13, 2023

Please use at least the correct command name: zmprov. Meanwhile this advisory is also known as CVE-2022-32294.

Aside of this, I'm unable to reproduce the issue. And unfortunately your description how to reproduce this possible security flaw is incomplete. Based on the official Zimbra administration guidelines, I assumed the following steps:

  1. assumed step:
# su - zimbra
$ zmprov ca tux@example.net ""
5db256d6-9bdc-45ac-b2da-04bd42018406
$ 
  1. assumed step: Initial random password should be revealed in /var/log/secure (RHEL/Rocky Linux, or where ever sudo calls are logged) – but zmprov by itself does not call sudo at all, and I can not find any hint about a password for my above example user tux@example.net in any syslog file or elsewhere within the syslog stack.

Further on: If this security flaw really exists, but was just accidentially described incompletely, it mainly applies by default only to Zimbra multi-server setups with remote syslog, or to regular setups with manually configured remote syslog. On default Zimbra single-server setups without any manually configured remote syslog, the password is not transmitted to foreign systems.

Most likely the sudo calls in your screenshot (copied in below) are caused by a third-party application, but not by Zimbra.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant