- Rapid7 pinpoints an unpatched remote code execution vulnerability being exploited in Zimbra Collaboration Suite.
- As a temporary workaround, users can install the pax package, which is installed by default on some distros like Ubuntu.
- The vulnerability allows attackers to plant a shell in the web root to gain remote code execution.
Researchers at Rapid7 discovered an unpatched remote code execution vulnerability in Zimbra Collaboration Suite due to active exploitation. The vulnerability, tracked as CVE-2022-41352, is due to the method cpio in which Zimbra’s antivirus engine scans inbound emails. Rapid7 researchers published the proof-of-concept and indicator-of-compromise information for the vulnerability.
Remote code execution
The attack starts by sending an email with .cpio, .tar, or .rpm to an affected server. While Amavis is inspecting it, it uses cpio to extract the file. However, cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. With this technique, attacks can plant a shell in the web root to gain remote code execution.
Zimbra has acknowledged the issue and published an advisory. Although it isn’t patched yet, Zimbra offered an easy workaround for the vulnerability. The company said,
« All Zimbra administrators should make sure the pax package is installed on their Zimbra server. Pax is needed by Amavis to extract the contents of compressed attachments for virus scanning.
If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately, the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot. »
Rapid7 announced that these two conditions must exist in a system to be exploitable:
- A vulnerable version of cpio must be installed, which is the case on basically every system
- The pax utility must not be installed, as Amavis prefers pax and pax is not vulnerable
While Pax is installed by default in Ubuntu, it is not installed by default on Red Hat-based distros. To solve the issue, Zimbra is planning to remove the dependency on cpio entirely by making pax a prerequisite for Zimbra Collaboration Suite.