Security
Headlines
HeadlinesLatestCVEs

Headline

Zimbra remote code execution vulnerability actively exploited in the wild

Mitigation guidance provided while a patch is being developed

PortSwigger
#vulnerability#web#ubuntu#linux#red_hat#oracle#rce#samba#zero_day

Mitigation guidance provided while a patch is being developed

A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild.

The bug was assigned the tracker CVE-2022-41352 in late September. Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system.

Zimbra, once known as the Zimbra Collaboration Suite (ZCS), is an open source email suite. The software is relied upon by millions of users and is designed for managing enterprise and SMB email and collaboration tools.

Read more of the latest news about web security vulnerabilities

According to Rapid7’s AttackerKB project, CVE-2022-41352 is an RCE that “arises from unsafe usage of the cpio utility, specifically from Zimbra’s antivirus engine’s (Amavis) use of the vulnerable cpio utility to scan inbound emails”.

To launch a successful attack, a threat actor would need to email a , , or file to a vulnerable server. Amavis would then scan the message for malware and use the cpio file utility to extract its content.

However a ‘loophole’ exists where attackers could leverage to write to a target folder, or as Rapid7 says, “write to any path on the filesystem that the Zimbra user can access”.

Once inside, for example, an attacker may be able to extract emails, tamper with user accounts, wipe information, or conduct Business Email Compromise (BEC) scams.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 builds are vulnerable.

‘Effectively identical’

Rapid7 researchers noted that CVE-2022-41352 is “effectively identical” to CVE-2022-30333, a path traversal bug in RarLab’s unrar binary which also triggers an RCE in Zimbra. The only difference appears to be the file type (, instead of ).

According to Rapid7 researcher Ron Bowes, the vulnerability is an exploit path for CVE-2015-1194, a bug that was patched in 2019. However, it appears that some distributions unintentionally remove the fix.

A Zimbra forum post indicates that the vulnerability is being actively exploited in the wild. Proof of concept (PoC) exploit code has been released.

Zimbra has acknowledged the vulnerability and says that a fix is being developed. In the meantime, Zimbra is urging users to install the pax package immediately and restart Zimbra as a workaround.

Pax is used for reading or writing archived file content and is not vulnerable to this exploit – but, unfortunately, Pax is not included by default. If Pax has not been installed, Amavis will resort to using cpio, and Zimbra says the “poor implementation” of this process that created the vulnerability in the first place.

Zimbra intends to remove the cpio dependency and make Pax a requirement.

There’s better news for Ubuntu users – Pax is installed by default in Ubuntu 20.04, and in Ubuntu 18.04, a custom patch issued for cpio provides protection.

The Daily Swig has reached out to Zimbra with additional queries and will update this story if and when we hear back.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Related news

UnRAR Path Traversal

This Metasploit module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 (open source version 6.1.7). The core issue is that when a symbolic link is unRARed, Windows symbolic links are not properly validated on Linux systems and can therefore write a symbolic link that points anywhere on the filesystem. If a second file in the archive has the same name, it will be written to the symbolic link path.

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

Ubuntu Security Notice USN-6569-1

Ubuntu Security Notice 6569-1 - it was discovered that libclamunrar incorrectly handled directories when extracting RAR archives. A remote attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that libclamunrar incorrectly validated certain structures when extracting RAR archives. A remote attacker could possibly use this issue to execute arbitrary code.

Gentoo Linux Security Advisory 202309-04

Gentoo Linux Security Advisory 202309-4 - An arbitrary file overwrite vulnerability has been discovered in RAR and UnRAR, potentially resulting in arbitrary code execution. Versions greater than or equal to 6.23 are affected.

Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.

High-Severity Flaws in Juniper Junos OS Affect Enterprise Networking Devices

Multiple high-severity security flaws have been disclosed as affecting Juniper Networks devices, some of which could be exploited to achieve code execution. Chief among them is a remote pre-authenticated PHP archive file deserialization vulnerability (CVE-2022-22241, CVSS score: 8.1) in the J-Web component of Junos OS, according to Octagon Networks researcher Paulos Yibelo. "This vulnerability

Zimbra Collaboration Suite TAR Path Traversal

This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.

Zimbra Releases Patch for Actively Exploited Vulnerability in its Collaboration Suite

Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances. Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract

Zimbra RCE Bug Under Active Attack

A flaw in unpatched Zimbra email servers could allow attackers to obtain remote code execution by pushing malicious files past filters.

Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

A severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected

Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

A severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management. The shortcoming,

CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Tracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a

Zimbra UnRAR Path Traversal

This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.

UnRAR path traversal flaw can lead to RCE in Zimbra

Other applications using binary to extract untrusted archives are potentially vulnerable too

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

CVE-2022-30333

RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig