Zimbra Collaboration Suite Unpatched RCE Actively ExploitedSecurity Affairs

Threat authors are exploiting a severe, unpatched remote code execution vulnerability in the Zimbra collaboration platform.

Rapid7 researchers warn of exploitation of unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352in the Zimbra collaborative suite.

Rapid7 has posted technical details including proof of concept (PoC) code and indicators of compromise (IoC) regarding CVE-2022-41352 at AttackerKB.

The bad news is that the vulnerability has not yet been patched by the company, the issue has been classified as CVSS 9.8.

“CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation.” reported Rapid7. “The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans incoming emails. Zimbra provided a workaround, which is to install the pax utility and restart the Zimbra services. Note that pax is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.

Experts pointed out that the vulnerability is due to the method (cpio) used by Zimbra’s antivirus engine (Amavis) to scan incoming emails.

According to Zimbra users, the vulnerability has been actively exploited since early September 2020. Threat actors exploit the issue to upload jsp files to Web Client/public directory by simply sending an email with a malicious attachment.

“We have an incident where the attacker managed to upload jsp files to the Client/public web directory by simply sending an email with a malicious attachment.” a user wrote on the Zimbra forum.

“Our system has already been patched to P26 on Zimbra 9. The incident timeline and stages:

  1. Sends a malicious file to one of the users. The amavisd will process this file and I believe via the cpio flaw the file was extracted to the target folder /opt/zimbra/jetty/webapps/zimbra/public.
  2. The attacker accesses this file (webshell) through the public and executes “zmprov gdpak” to generate a pre-authorization and login to any user they target.
  3. They log in to the xxx@yyy.zzz account to delete the file they sent via step 1 to try to erase the track.

Zimbra urges users to install the “pax” utility and restart Zimbra services to prevent the Amavis component from reverting to using cpio.

“All Zimbra administrators must ensure that the passengers package is installed on their Zimbra server. Pax is required by Amavis to extract the contents of compressed attachments for virus scanning. bed an update released by the company. “If the pax is not installed, Amavis will revert to using cpio, unfortunately the fallback is poorly implemented (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra web root.

For most Ubuntu servers, the pax The package must already be installed as it is a Zimbra dependency. Due to a packaging change in CentOS, there is a good chance pax is not installed.”

In summary, the flaw can be exploited if these two conditions are met:

  1. A vulnerable version of cpio must be installed, which is the case on almost all systems (see CVE-2015-1197) (see CVE-2015-1197)
  2. The pax the utility should not be installed, as Amavis prefers pax and pax is not vulnerable

Rapid7 researchers pointed out that pax is not installed by default on Red Hat-based distributions, which means they are vulnerable by default. Below is the list of Linux distributions tested by Rapid7:

Linux distro Vulnerable?
OracleLinux 8 Vulnerable
Red Hat Enterprise Linux 8 Vulnerable
Rocky Linux 8 Vulnerable
Hundred OS 8 Vulnerable
Ubuntu 20.04 Not vulnerable (pax is installed by default)
Ubuntu 18.04 Not vulnerable (pax is installed, cpio has Ubuntu’s custom patch)

Zimbra will fix this by removing the dependency on cpio by making pax a prerequisite for Zimbra Collaboration Suite.

“Because cpio has no mode where it can be used safely on untrusted files, the attacker can write to any path in the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to achieve remote code execution, although other avenues likely exist. concludes Rapid7.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Zimbra)

Comments are closed.