A severe remote code execution vulnerability in Zimbra’s enterprise collaboration software and email platform is being actively exploited and no patch is currently available to fix the issue.
assigned shortcomings CVE-2022-41352has a severity of CVSS 9.8 and provides a vector for attackers to upload arbitrary files and perform malicious actions on affected installations.
“Vulnerabilities are due to methods (cpio) Zimbra antivirus engine (amabis) scans incoming emails,โ says cybersecurity firm Rapid7. Said In an analysis released this week.
The issue is said to have been exploited since early September 2022. detail Shared on the Zimbra forums. A fix has not yet been released, but Zimbra is urging users to install the “pax” utility and restart Zimbra services.
“if pax package is not installed, Amavis will fall back to using cpio, but unfortunately the fallback implementation (by Amavis) is poor enough to allow an unauthenticated attacker to compromise the Zimbra server, including the Zimbra Webroot. It allows you to create and overwrite files,” the company said. Said last month.
A vulnerability in software versions 8.8.15 and 9.0 affects several Linux distributions, including Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8. That pax is already installed by default.
Successful exploitation of this vulnerability requires an attacker to email an archive file (CPIO or TAR) to the affected server. This is inspected by her Amavis using the cpio file archiver utility to extract its contents.
“cpio has no safe mode for untrusted files, allowing an attacker to write to any path on the filesystem that Zimbra users can access,” says Ron, a Rapid7 researcher. Bowes said. “The most likely outcome would be for an attacker to shell into her web root and execute code remotely, but other means may exist.”
Zimbra has stated that they expect the vulnerability to be resolved in the next Zimbra patch, which removes the dependency on cpio and instead requires pax. However, no specific timeframe has been given for the fix to become available.
Rapid7 also said that CVE-2022-41352 is “virtually identical” to CVE-2022-30333. CVE-2022-30333, a path traversal flaw in the Unix version of RARlab’s unRAR utility, was disclosed in early June of this year. The only difference is that new flaws are leveraged. CPIO and TAR archive formats instead of RAR.
To make matters worse, Zimbra is said to be even more vulnerable to another virus. Zero-day privilege escalation flawwhich can be chained with a cpio zero-day to achieve a remote root compromise of your server.
The fact that Zimbra has become a popular target for attackers is nothing new. In August, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned The number of attackers who exploit multiple software flaws to infiltrate your network.