Headline
Zimbra Releases Patch for Actively Exploited Vulnerability in its Collaboration Suite
Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances. Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract
Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances.
Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives.
The flaw, in turn, is said to be rooted in another underlying vulnerability (CVE-2015-1197) that was first disclosed in early 2015, which according to Flashpoint was rectified, only to be subsequently reverted in later Linux distributions.
“An attacker can use cpio package to gain incorrect access to any other user accounts,” Zimbra said in an advisory published last week, adding it “recommends pax over cpio.”
Fixes are available in the following versions -
- Zimbra 9.0.0 Patch 27
- Zimbra 8.8.15 Patch 34
All an adversary seeking needs to do to weaponize the shortcoming is to send an email with a specially crafted TAR archive attachment that, upon being received, gets submitted to Amavis, which uses the cpio module to trigger the exploit.
Cybersecurity company Kaspersky has disclosed that unknown APT groups have actively been taking advantage of the flaw in the wild, with one of the actors “systematically infecting all vulnerable servers in Central Asia.”
The attacks, which unfolded over two attack waves in early and late September, primarily targeted government entities in the region, abusing the initial foothold to drop web shells on the compromised servers for follow-on activities.
Based on information shared by incident response firm Volexity, roughly 1,600 Zimbra servers are estimated to have been infected in what it calls a “mix of targeted and opportunistic attacks.”
“Some web shell paths […] were used in targeted (likely APT) exploitation of key organizations in government, telecommunications, and IT, predominantly in Asia; others were used in massive worldwide exploitation,” the company said in a series of tweets.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.
This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.
A flaw in unpatched Zimbra email servers could allow attackers to obtain remote code execution by pushing malicious files past filters.
Mitigation guidance provided while a patch is being developed
A severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected
cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.