Headline
Thousands of Zimbra mail servers backdoored in large scale attack
Categories: Exploits and vulnerabilities Categories: News Tags: Zimbra
Tags: ZVS
Tags: cve-2022-27925
Tags: web shell
Tags: cve-2022-37042
Tags: authentication
Tags: RCE
Researchers found that a known RCE vulnerability in Zimbra Collaboration was chained with a new authentication vulnerability to drop backdoor web shells on thousands of servers
(Read more…)
The post Thousands of Zimbra mail servers backdoored in large scale attack appeared first on Malwarebytes Labs.
Researchers at Volexity have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.
An incomplete fix
Zimbra is a brand owned by Synacor. Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.
The initial investigations showed evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.
The description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
Zimbra patched the vulnerability, but, in the company’s own words, it would turn out to be an "incomplete fix for CVE-2022-27925".
Mass exploitation
It is uncommon for a vulnerability that requires administrator rights to be used in a large-scale attack. Firstly, because it is usually a lot of work for a cybercriminal to obtain valid administrator credentials. But also because once they have administrator credentials there are a lot more options open to them. Although in this case, uploading zip files that will be auto-magically extracted sounds like a good way to establish a foothold.
So how did it come about that a serious, yet hard to exploit vulnerability got involved in a larger attack rather than a targeted one? The researchers did a lot of digging and found that the threat actors were chaining the known vulnerability with a zero-day path traversal vulnerability. The authentication bypass vulnerability was assigned CVE-2022-37042 after sharing their findings with Zimbra. A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access.
The underlying problems was that the authentication check, after sending an error message to the unauthenticated attacker, continued executing the subsequent code. So, even though the attackers received an error message the web shell was planted on the server anyway. These web shells were a malicious script used by the attacker with the intent to escalate and maintain persistent access. In other words, a backdoor.
Knowing the paths to which the attacker had installed web shells, and the behavior of ZCS when contacting a URL that did not exist, the researchers performed a scan of ZCS instances in the wild to identify third-party compromises using the same web shell names. This scan yielded over 1,000 infected ZCS instances worldwide. The real number of infected instances is probably a lot higher since the scan only looked for shell paths known to the researchers.
Mitigation
Zimbra has patched the authentication issue in its 9.0.0P26 and 8.8.15P33 releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.
In order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found on GitHub for the latest version of 8.8.15 and of 9.0.0.
Stay safe, everyone!
Related news
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple. Targets of the malicious operation included a healthcare research organization
Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.
This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).