Can't reproduce.

I tried all the ports (and 6071) and I'm getting a 403 each time.

What happens if you try /service/nginx.key or /service/localconfig.xml?

I'm running the last version.

However, you are very very right about the un-readability of the changelogs and announcements.
It's impossible for admin to know what changed between two versions, we do need a functionnal summary (no code reading, clear explanation of what was changed, what is new, what was fixed), especially on security topics.

Hi,

No doubt your feedback has some valid improvement points to consider. We are definitely going to retrospect on this. We appreciate your feedbacks and would love to hear more in future.

Have a good day 😊

Regards

Hi,

No doubt your feedback has some valid improvement points to consider. We are definitely going to retrospect on this. We appreciate your feedbacks and would love to hear more in future.

Have a good day 😊

Regards

Thank you for the response. I can confirm that the latest update does fix the issue.

I would like to point out that, if there was any announcement, it was not in any easily accessible and visible place - certainly not on the homepage of community.zextras.com, it's not on the blog, nor in a separate forum thread. I could only find vague information about "security patches" buried on the page 17 of the "New release" thread which does not help with visibility.

Your changelog also doesn't mention it - full changelog from the documentation is actually a number of links to GitHub repositories of applications whose versions don't match Carbonio's versioning. Also, none of those linked changelogs mention changes related to this issue - please correct me if I missed it in some of those changelogs.

One of the most logical places for such announcements would be the update pages in the documentation. A brief changelog summary would also help, because currently there's no way to correlate Carbonio versions (e.g. 24.12.2) to the versions of components (e.g. 0.9.3, 1.14.0, 1.4.1 and so on).

Also, the mail that you mention here, security@zextras.com, is not mentioned anywhere else on your websites, and there's no guidelines for reporting security issues other than the generic suggestion to write here on this forum. Documentation for the paid version talks about "Zextras customer’s support portal", but doesn't mention security issues either. There should be an easily discoverable security advisory web page that would also guide users to confidentially report security issues.

Please consider these suggestions, and thank you.

Thank you for bringing this to our attention. We would like to provide some clarifications regarding this matter and the steps taken to address the reported vulnerability.

To understand the events in chronological order:

• The vulnerability was initially identified during internal testing with Carbonio 24.12.0, once identified we verified the vulnerability also affects 24.9
• Development work commenced to implement a permanent fix, ensuring that passwords and sensitive data would not be exposed.
• The security fix was officially released with Carbonio 24.12.1, along with patched packages for Carbonio 24.9.
• The documentation was updated with instructions on the workaround with resetting LDAP credentials and the PreAuthKey when upgrading from Carbonio 24.9 or 24.12.
• A public announcement was made regarding the availability of Carbonio 24.12.1, including details on the security fix. 

Once we received complete confirmation from our development and security teams, we informed users through multiple channels about the importance of upgrading to version 24.12.1. We were also assisting users using this post about how to investigate and execute the workarounds on LDAP credentials and Pre-Auth Keys.

Unfortunately, due to the ongoing mitigation efforts, we were unable to address this forum post earlier. However, we sincerely appreciate your diligence in reporting the issue. Given the potential risks associated with this vulnerability, we exercised caution in disclosing details to prevent exploitation by malicious actors. Our priority was to ensure the fix was fully implemented and available before publicly addressing the matter.

For future security-related concerns, we strongly encourage users to reach out to us directly via security@zextras.com with relevant technical details. This will allow us to assess and resolve vulnerabilities efficiently while safeguarding sensitive information.

Relevant suggestion details beside workaround:

Besides the workaround (With resetting LDAP credentials and the removal of PreAuthKay), we would suggest to update credentials for:

• domains using external LDAP authentication (both sides).
• domains using auto-provisioning from external LDAP (both sides)
• videoserver (both sides)
• global server SSL certificate and revoke the old ones.
• domain certificates and revoke the old ones.
• domain DKIM keys (During the DNS update, you can temporarily disable the DKIM signature)

We recommend all users to upgrade to version 24.12.1 and follow the outlined security steps to ensure the system is fully protected.

I tried all the ports (and 6071) and I'm getting a 403 each time.

What happens if you try /service/nginx.key or /service/localconfig.xml?

I tried all the ports (and 6071) and I'm getting a 403 each time.

HTTP ERROR 403 Forbidden

i am new to forum. I have just installed zextras community and noticed that server exposes port 7071, 7072, 7073 show directory listing at following path https://mail.myreducteddomain.com:7071/service/

Directory: /service/
Name ⇧ Last Modified Size
amavisd.conf Oct 28, 2024, 4:51:27 PM 40,038 bytes
amavisd.conf.in Sep 23, 2024, 7:00:20 PM 41,425 bytes
amavisd-custom.conf Sep 23, 2024, 7:00:20 PM 1,003 bytes
antisamy.xml Aug 27, 2024, 11:44:14 AM 79,214 bytes
attrs/ Oct 28, 2024, 4:36:23 PM 4,096 bytes
attrs-schema Oct 18, 2024, 7:43:32 PM 11 bytes
ca/ Oct 28, 2024, 4:37:22 PM 4,096 bytes
carbonio.ldif Aug 27, 2024, 11:19:46 AM 3,631 bytes
cbpolicyd.conf.in Sep 23, 2024, 7:00:20 PM 4,711 bytes
clamd.conf Oct 28, 2024, 4:51:27 PM 27,521 bytes
clamd.conf.in Sep 23, 2024, 7:00:20 PM 27,718 bytes
clamd.conf.sample Jul 25, 2024, 7:09:59 PM 27,505 bytes
common-passwords.txt Oct 18, 2024, 7:43:29 PM 8,529,110 bytes
contact-fields.xml Oct 18, 2024, 7:43:29 PM 157,101 bytes
crontabs/ Sep 28, 2024, 11:21:53 AM 4,096 bytes
datasource.xml Oct 18, 2024, 7:43:32 PM 3,926 bytes
dhparam.pem Aug 27, 2024, 11:23:48 AM 424 bytes
dhparam.pem.crb Aug 27, 2024, 11:20:48 AM 424 bytes
domaincerts/ Aug 27, 2024, 11:23:49 AM 4,096 bytes
dspam.conf Oct 28, 2024, 4:51:27 PM 28,028 bytes
dspam.conf.in Sep 23, 2024, 7:00:20 PM 28,045 bytes
externaldirsync/ Oct 28, 2024, 4:36:25 PM 4,096 bytes
freshclam.conf Oct 28, 2024, 4:51:27 PM 7,205 bytes
freshclam.conf.in Sep 23, 2024, 7:00:20 PM 7,209 bytes
freshclam.conf.sample Jul 25, 2024, 7:09:59 PM 7,205 bytes
globs2 Oct 18, 2024, 7:43:29 PM 22,418 bytes
globs2.zimbra Oct 18, 2024, 7:43:29 PM 335 bytes
ldap-canonical.cf Oct 28, 2024, 4:52:10 PM 444 bytes
ldap-slm.cf Oct 28, 2024, 4:52:10 PM 604 bytes
ldap-splitdomain.cf Oct 28, 2024, 4:52:10 PM 486 bytes
ldap-transport.cf Oct 28, 2024, 4:52:10 PM 372 bytes
ldap-vad.cf Oct 28, 2024, 4:52:10 PM 360 bytes
ldap-vam.cf Oct 28, 2024, 4:52:10 PM 562 bytes
ldap-vmd.cf Oct 28, 2024, 4:52:10 PM 360 bytes
ldap-vmm.cf Oct 28, 2024, 4:52:10 PM 354 bytes
localconfig.xml Sep 29, 2024, 1:59:45 PM 6,267 bytes
log4j.properties Oct 28, 2024, 4:51:27 PM 8,845 bytes
log4j.properties.in Oct 18, 2024, 7:43:32 PM 9,601 bytes
magic Oct 18, 2024, 7:43:29 PM 20,329 bytes
magic.zimbra Oct 18, 2024, 7:43:29 PM 63 bytes
milter.log4j.properties Oct 18, 2024, 7:43:32 PM 1,320 bytes
msgs/ Oct 28, 2024, 4:36:23 PM 16,384 bytes
mta_milter_options Oct 28, 2024, 4:51:28 PM 91 bytes
mta_milter_options.in Oct 18, 2024, 7:43:32 PM 154 bytes
my.cnf Aug 27, 2024, 11:23:16 AM 1,315 bytes
nginx/ Aug 27, 2024, 11:24:07 AM 4,096 bytes
nginx.conf Oct 28, 2024, 4:51:28 PM 501 bytes
nginx.crt Oct 5, 2024, 9:26:36 AM 5,521 bytes
nginx.key Oct 5, 2024, 9:26:36 AM 1,704 bytes
opendkim.conf Oct 28, 2024, 4:51:27 PM 1,824 bytes
opendkim.conf.in Sep 23, 2024, 7:00:20 PM 1,794 bytes
opendkim-localnets.conf Oct 28, 2024, 4:51:27 PM 28 bytes
opendkim-localnets.conf.in Sep 23, 2024, 7:00:20 PM 31 bytes
owasp_policy.xml Aug 27, 2024, 11:44:14 AM 7,815 bytes
postfix_header_checks Oct 28, 2024, 4:51:28 PM 452 bytes
postfix_header_checks.in Sep 23, 2024, 7:00:20 PM 488 bytes
rights/ Oct 28, 2024, 4:36:23 PM 4,096 bytes
salocal.cf.in Sep 23, 2024, 7:00:20 PM 4,438 bytes
sasl2/ Oct 28, 2024, 4:51:28 PM 4,096 bytes
saslauthd.conf Oct 28, 2024, 4:51:27 PM 134 bytes
saslauthd.conf.in Sep 23, 2024, 7:00:20 PM 103 bytes
slapd.crt Oct 5, 2024, 9:26:35 AM 5,521 bytes
slapd.key Oct 5, 2024, 9:26:35 AM 1,704 bytes
smtpd.crt Oct 5, 2024, 9:26:36 AM 5,521 bytes
smtpd.key Oct 5, 2024, 9:26:36 AM 1,704 bytes
spnego_java_options Oct 28, 2024, 4:51:28 PM 3 bytes
spnego_java_options.in Oct 18, 2024, 7:43:29 PM 74 bytes
stats.conf Oct 28, 2024, 4:51:27 PM 207 bytes
stats.conf.in Oct 18, 2024, 7:43:32 PM 45 bytes
templates/ May 2, 2024, 5:10:31 PM 4,096 bytes
timezones.ics Aug 27, 2024, 6:03:48 PM 161,587 bytes
web.xml Oct 28, 2024, 4:51:27 PM 21,999 bytes
web.xml.in Oct 18, 2024, 7:43:29 PM 23,094 bytes
zmconfigd/ Sep 28, 2024, 11:21:53 AM 4,096 bytes
zmconfigd.cf Sep 23, 2024, 7:00:20 PM 21,443 bytes
zmconfigd.log4j.properties Sep 23, 2024, 7:00:20 PM 1,791 bytes
zmlogrotate Sep 23, 2024, 7:00:20 PM 2,509 bytes
zmssl.cnf Aug 27, 2024, 11:18:50 AM 7,899 bytes
zmssl.cnf.in Sep 23, 2024, 7:00:20 PM 7,851 bytes

Coul you guru tell how can i disable this dangerous stuff?

thank you all