- Zimbra 9.0.0 “Kepler” Patch 27 and 8.8.15 “James Prescott Joule” Patch 34 are released to address the vulnerability.
- Kaspersky stated that the vulnerability is related to another vulnerability discovered in 2015 and patched shortly after.
- By exploiting the vulnerability, an attacker can use cpio package to gain incorrect access to any other user accounts.
Last week, security researchers discovered a remote code execution vulnerability in Zimbra Collaboration Suite. The vulnerability, tracked as CVE-2022-41352, was being exploited in the wild and the proof-of-concept and indicator-of-compromise information were published online. After approximately 1 week, Zimbra announced the release of a patch that addresses the vulnerability.
Being exploited in the wild
The vulnerability has a CVSS score of 9.8, which allows attackers to upload arbitrary files. The flaw affects a component, Amavis, the cpio utility that allows the open-source content filter to scan and extract archives. The vulnerability is fixed in the following versions:
- Zimbra 9.0.0 “Kepler” Patch 27
- Zimbra 8.8.15 “James Prescott Joule” Patch 34
Kaspersky also published a report about the vulnerability and stated that the underlying cause for the issue is another vulnerability, tracked as CVE-2015-1197, in cpio. It is a directory traversal vulnerability and extracting specially crafted archives containing symbolic links can cause files to be placed at an arbitrary location in the file system. In the context of CVE-2022-41352, the exploitation scenario unfolds as follows:
- An attacker sends an e-mail with a malicious Tar archive attached.
- On receiving the e-mail, Zimbra submits it to Amavis for spam and malware inspection.
- Amavis analyzes the e-mail attachments and inspects the contents of the attached archive. It invokes cpio and CVE-2015-1197 is triggered.
- During the extraction, a JSP webshell is deployed on one of the public directories used by the webmail component. The attacker can browse to the webshell to start executing arbitrary commands on the victim machine.
« If you discover one of these files on your Zimbra installation, please contact an incident response specialist as soon as possible. Removing the file is not enough. Performing disinfection on Zimbra is extremely difficult, as the attacker will have had access to configuration files containing passwords used by various service accounts. These credentials can be used to regain access to the server if the administrative panel is accessible from the internet. In addition, considering the rudimentary nature of all webshells we have discovered so far, it is almost certain that attackers will deploy more robust and sophisticated backdoors as soon as they get the chance. »