Do you have zimbra-ldap-patch installed on your LDAP server(s)?
Traditionally slapd was started as root (via sudo) to bind on port 389, and then dropped privileges to the zimbra user.
This was changed some time ago to be started as zimbra, but with "cap_net_bind" capability to allow to bind to root as zimbra user, and with execution permissions restricted 750 to the zimbra group.
Because the method with sudo allowed for privilege escalation via slapd command line parameter injection (CVE-2022-37393).
zmfixperms should take care of that for you, see "grep -1 slapd /opt/zimbra/libexec/zmfixperms". If you don't see it there, you probably don't have zimbra-ldap-patch installed on your server.
Also do verify that /etc/sudoers.d/02_zimbra-ldap was properly removed, otherwise it's still exploitable.
Traditionally slapd was started as root (via sudo) to bind on port 389, and then dropped privileges to the zimbra user.
This was changed some time ago to be started as zimbra, but with "cap_net_bind" capability to allow to bind to root as zimbra user, and with execution permissions restricted 750 to the zimbra group.
Because the method with sudo allowed for privilege escalation via slapd command line parameter injection (CVE-2022-37393).
zmfixperms should take care of that for you, see "grep -1 slapd /opt/zimbra/libexec/zmfixperms". If you don't see it there, you probably don't have zimbra-ldap-patch installed on your server.
Also do verify that /etc/sudoers.d/02_zimbra-ldap was properly removed, otherwise it's still exploitable.
Statistics: Posted by ghen — Wed Feb 28, 2024 2:42 pm