CVE-2019-9670
published 2019-05-29CVE-2019-9670: mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
99.99%
100.0th percentile
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | >= 8.7.0 < 8.7.11 | 8.7.11 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
Snort SID 49898
- →The XXE attack targets the Autodiscover servlet via HTTP POST to /autodiscover (or Autodiscover/Autodiscover.xml). Detect POST requests to this path on Zimbra servers, especially with XML payloads containing DOCTYPE/ENTITY declarations. ↗
- →After XXE credential theft, the exploit chains to SSRF via /service/proxy/ with a 'target' GET parameter pointing to the internal admin port (7071). Detect requests to /service/proxy/?target=https://127.0.0.1:7071 as a strong indicator of exploitation. ↗
- →Post-exploitation JSP webshell upload occurs via POST to /service/extension/clientUploader/upload with a multipart form-data body. Monitor for unexpected file uploads to this endpoint, particularly .jsp files. ↗
- →Enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of CVE-2019-9670, as the vulnerability exploits applications leveraging SSL. ↗
- →CVE-2019-9670 is combined with CVE-2019-9621 (SSRF) in the Metasploit module for full unauthenticated RCE. Detections should account for both CVEs being chained together. ↗
- →APT29/SVR has been observed exploiting CVE-2019-9670 in Zimbra as an initial access vector. Treat any successful exploitation as a high-priority incident given nation-state threat actor interest.
- ·The Metasploit module defaults to SSL=true and RPORT=8443. Ensure network monitoring covers HTTPS traffic on port 8443 (and 7071 for internal admin) to detect exploitation attempts; plain HTTP inspection will miss these. ↗
- ·The exploit temporarily disables SSL during the XXE stage (datastore['SSL'] = false) before re-enabling it, meaning detection systems may see a brief HTTP (non-TLS) POST to /autodiscover even on a normally HTTPS-only server. ↗
- ·The exploit uses an out-of-band DTD callback to an attacker-controlled HTTP server to exfiltrate the Zimbra LDAP password via XXE. Egress filtering and DNS/HTTP monitoring for unexpected outbound connections from the Zimbra server are critical detection controls. ↗
- ·Affected versions are Zimbra Collaboration Suite v8.5 to v8.7.11 (specifically 8.7.x before 8.7.11p10). Snort SID 49898 coverage applies; verify the rule is active and SSL inspection is enabled for full coverage. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
cisa·2022-01-10·CVSS 9.8
CVE-2019-9670 [CRITICAL] CWE-611 Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-9670
Remediation Due Date: 2022-07-10
GHSA
GHSA-pj74-pf28-5qjw: mailboxd component in Synacor Zimbra Collaboration Suite 8
ghsa_unreviewed·2022-05-24
CVE-2019-9670 [CRITICAL] CWE-611 GHSA-pj74-pf28-5qjw: mailboxd component in Synacor Zimbra Collaboration Suite 8
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
vulncheck·2019·CVSS 9.8
CVE-2019-9670 [CRITICAL] CWE-611 Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF; https://www.tenable.com/blog/daisy-chaining-how-vulnerabilities-can-be-greater-than-the-sum-of-their-parts; https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF; https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf; htt
Suricata
ET EXPLOIT Possible Zimbra Autodiscover Servlet XXE (CVE-2019-9670)
suricata·2022-06-20·CVSS 9.8
CVE-2019-9670 [CRITICAL] ET EXPLOIT Possible Zimbra Autodiscover Servlet XXE (CVE-2019-9670)
ET EXPLOIT Possible Zimbra Autodiscover Servlet XXE (CVE-2019-9670)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Autodiscover Servlet XXE (CVE-2019-9670)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Autodiscover/Autodiscover.xml"; http.request_body; content:"<!ENTITY|20|"; content:"|20|SYSTEM|20 22|"; fast_pattern; pcre:"/^\s?(?:file|https?)\x3a/Ri"; reference:cve,2019-9670; classtype:attempted-admin; sid:2037040; rev:1; metadata:attack_target Server, created_at 2022_06_20, cve CVE_2019_9670, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_06_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Exploit-DB
Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
exploitdb·2019-04-12
CVE-2019-9670 Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF',
'Description' => %q{
This module exploits an XML external entity vulnerability and a
server side request forgery to get unauthenticated code execution
on Zimbra Collaboration Suite. The XML external entity vulnerability
in the Autodiscover Servlet is used to read a Zimbra configuration
file that contains an LDAP password for the 'zimbra' account. The
zimbra credentials are then used to get a user authentication cookie
with an AuthRequest message. Using the user cookie, a se
Metasploit
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
metasploit
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF
This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the 'zimbra' account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the 'zimbra' credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the Client Upload servlet is used to upload a JSP webshell that can be triggered from th
Nuclei
Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
nuclei·CVSS 9.8
CVE-2019-9670 [CRITICAL] Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
Synacor Zimbra Collaboration
]>
aaaaa
&xxe;
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'root:.*:0:0:'
- "Problem accessing"
condition: and
- type: status
status:
- 503
# digest: 4a0a00473045022060e584c026331a41063d1fd0243a6d5acf9c19f04890a0555f428a8e011418b4022100a49b5da9dd6d522615a0edb054f59db8956b74116b33f50725bfea8a201f582c:922c64590222798bb761d5b6d8e72950
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
## Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen 2023/09/18 Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca . Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interestin
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
# Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen
2023/09/18
Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interesting
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
## Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen Sep 18, 2023 Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca . Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interest
Qualys
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
blogs_qualys·2022-02-26
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
## Table of Contents
Protecting Customer Data on Qualys Cloud Platform
Urgent: Assess and Heighten Your Security Posture
Step 1: Monitor Your Shodan/Internet Exposed Assets
Step 2: Detect, Prioritize and Remediate CISAs Catalog ofKnown Exploited Vulnerabilities
Step 3: Protect Your Cloud Services and Office 365
Step 4: Continuously Detect any Potential Threats and Attacks
Take Action to Learn More about How to Strengthen Your Defenses
CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA’s recommendations.
With the invasion of Ukraine by Russia, the U.
Tenable
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
blogs_tenable·2022-02-24
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Threat Research Center
Threat Research
Malware
## Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Unit 42
Published: February 22, 2022
Malware
Threat Research
DDoS
Defacement
Gamaredon
HermeticWiper
Nation-state
Russia
Trident Ursa
Ukraine
WhisperGate
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortl
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortly after, a new round of website defacement attacks were also observed impacting Ukrainian government organizations.
Consistent with our previous reporting on the topic, several western governments have issued recommendations for their populations to prepare for cyberattacks that could disrupt, disable or destroy critical infrastructure. We have already observed an increase in Russian c
Talos
Threat Advisory: NSA SVR Advisory Coverage
blogs_talos·2021-04-15·CVSS 9.1
[CRITICAL] Threat Advisory: NSA SVR Advisory Coverage
## Threat Advisory: NSA SVR Advisory Coverage
The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities
Talos
Threat Advisory: NSA SVR Advisory Coverage
blogs_talos·2021-04-15·CVSS 9.1
[CRITICAL] Threat Advisory: NSA SVR Advisory Coverage
The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.
The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes | FortiGuard Labs
blogs_fortinet·2020-04-21
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes
By Fred Gutierrez and Val Saengphaibul | April 21, 2020
FortiGuard Labs Threat Analysis Report
Introduction
Affected platforms: Windows
Impacted parties: Companies that engage with biomedical firms
Impact: Remote control of infected computer, information stealing, keylogger
Severity level: High
During our research into COVID-19 threats, FortiGuard Labs has run into a number of unique types of spearphishing lures. For example, one of these targets companies that engage with biomedical firms, and as a result, they may be at risk of losing financial resources, data, or intellectual property.
Within the last couple of days, for example, our spam traps noticed the following email sent ou
Threat Intel
APT29 (APT29, IRON RITUAL, IRON HEMLOCK)
threat_intel
APT29 (APT29, IRON RITUAL, IRON HEMLOCK)
# Threat Actor Profile: APT29
ATT&CK ID: G0016
Also known as: APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard
Suspected origin: Russia
## Overview
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DN
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rcehttps://bugzilla.zimbra.com/show_bug.cgi?id=109129https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.exploit-db.com/exploits/46693/http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rcehttps://bugzilla.zimbra.com/show_bug.cgi?id=109129https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.exploit-db.com/exploits/46693/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9670
2019-05-29
Published
2022-01-10
Added to CISA KEV
Exploited in the wild