Threat actors are exploiting multiple flaws in Zimbra

According to a Cybersecurity and Infrastructure Security Agency advisory released on Tuesday, multiple flaws in Zimbra Collaboration Suite are being exploited in the wild by threat actors.

Zimbra Collaboration Suite (ZCS) is a cloud-based enterprise messaging and collaboration platform originally launched in 2005 and currently sold by Synacor. The joint council by CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reported that five platform-related vulnerabilities are being actively exploited and “may target unpatched ZCS instances in government networks and the private sector”.

CVE-2022-27924 is a very serious bug that allows a malicious actor to inject arbitrary memcache commands into a targeted instance of ZCS. The threat actor can use this access to obtain clear text credentials for ZCS email accounts without any user interaction required.

CVE-2022-27925 is a high-severity directory traversal vulnerability that is capable of remote code execution and can be chained with CVE-2022-37042, an authentication bypass flaw; CVE-2022-24682 is a medium-severity cross-site scripting vulnerability; and CVE-2022-30333 is a high-severity directory traversal vulnerability in the UnRAR compressed file extractor, which was used in Zimbra Collaboration Suite until it was replaced by 7-Zip.

CVE-2022-27925 in particular was covered by threat detection and response vendor Volexity in a August 10 blog post. Through a series of internet-wide scans, the vendor found over 1,000 stolen and compromised ZCS instances.

“These ZCS instances are owned by a variety of global organizations, including government departments and ministries, military branches, global corporations with billions of dollars in revenue, etc.,” the blog read. “At the other end of the scale, the affected organizations also included a significant number of small businesses that were unlikely to have dedicated IT staff to manage their mail servers, and perhaps less likely to be able to effectively detect and remedy an incident.”

Volexity noted that the original description of the bug was that it was medium severity and required authentication. When chained with CVE-2022-37042, however, authentication can be bypassed.

“Some organizations may prioritize patches based on the severity of security issues,” the post reads. “In this case, the vulnerability was listed as medium – neither high nor critical – which may have led some organizations to postpone patching.”

The authentication bypass flaw was patched by Zimbra in late July, but the initial patch for CVE-2022-27925 had been out for months. At Black Hat 2022 earlier this month, Trend Micro’s Zero Day initiative announced it was changing vulnerability disclosure deadlines for incomplete patches.

The defects themselves are not new; all five had been leaked in some context earlier this year. However, all but one of the flaws have been added to the CISA Catalog of known exploited vulnerabilities this month (CVE-2022-24682 was added in February).

All vulnerabilities referenced in the advisory have received official mitigations and patches, and CISA recommends that customers upgrade their ZCS instances to the latest releases.

Neither CISA nor Synacor responded to TechTarget Security’s request for comment at press time.

Alexander Culafi is a Boston-based writer, journalist, and podcaster.

Comments are closed.