CVE-2023-50455
📋 TL;DR
This vulnerability in Zammad allows attackers to send excessive email verification requests to known addresses, causing denial of service through email spam and resource exhaustion. Organizations running Zammad versions before 6.2.0 are affected. The attack requires knowledge of target email addresses but no authentication.
💻 Affected Systems
- Zammad
📦 What is this software?
Zammad by Zammad
Zammad by Zammad
Zammad by Zammad
⚠️ Risk & Real-World Impact
Worst Case
Complete email system disruption, overwhelming mail servers with spam traffic, potential blacklisting of mail servers, and degraded Zammad performance affecting all users.
Likely Case
Targeted email spam to specific users, temporary email service disruption, and increased mail server load requiring administrative intervention.
If Mitigated
Minimal impact with proper rate limiting and monitoring in place, potentially some spam emails but no service disruption.
🎯 Exploit Status
Exploitation requires only knowledge of target email addresses and ability to send HTTP requests to the Zammad instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.0
Vendor Advisory: https://zammad.com/en/advisories/zaa-2023-06
Restart Required: Yes
Instructions:
1. Backup your Zammad instance. 2. Update to Zammad 6.2.0 or later using your package manager or deployment method. 3. Restart Zammad services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement Web Application Firewall Rate Limiting
linuxConfigure rate limiting for email verification endpoints using a WAF or reverse proxy
# Example nginx rate limiting
limit_req_zone $binary_remote_addr zone=emailverify:10m rate=10r/m;
# Add to location block for email verification endpoint
limit_req zone=emailverify burst=20 nodelay;
Disable Email Verification Feature
allTemporarily disable email address verification if not required
# Edit Zammad configuration
# Set 'user_email_verification' to false in configuration file
🧯 If You Can't Patch
- Implement network-level rate limiting for email verification endpoints using firewall or load balancer rules.
- Monitor email verification logs for abnormal request patterns and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check Zammad version: if version is below 6.2.0, the system is vulnerable. Test by sending multiple email verification requests to the same address and monitoring if rate limiting occurs.Check Version:
zammad versionVerify Fix Applied:
After updating to 6.2.0+, attempt to send multiple email verification requests to the same address within a short timeframe. Requests should be rate limited after a few attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /api/v1/users/email_verify from same IP
- Unusual spike in email verification attempts
- Multiple emails sent to same address in short timeframe
Network Indicators:
- High volume of HTTP POST requests to email verification endpoint
- Unusual patterns of requests from single IP addresses
SIEM Query:
source="zammad.log" AND "POST /api/v1/users/email_verify" | stats count by src_ip, user_email | where count > 10