Experts warn: an unpatched vulnerability in the Zimbra Collaboration Suite (ZCS), which received 9.8 points on the CVSS vulnerability rating scale, is already under attack, as users wrote about back in September.
Let me remind you that we also reported that Apple leaves critical bugs unpatched in macOS Big Sur and Catalina.The bug allows attackers to upload arbitrary files and perform malicious actions on vulnerable ZCS installations.
0-day has been given the identifier CVE-2022-41352 and is associated with the method that the Zimbra antivirus engine (Amavis) uses when scanning incoming email messages. According to Rapid7 analysts, an attacker could exploit this vulnerability by mailing a specially crafted .cpio, .tar, or .rpm file to the affected server.
An attacker can also use the CVE-2022-41352 issue to place a shell in the root directory and achieve remote code execution. At the same time, the researchers believe that there are probably other ways of exploitation.
The new vulnerability is similar to another issue, CVE-2022-30333, which can be exploited using specially crafted RAR files. According to Rapid7, both issues are spin-offs of the old bug CVE-2015-1197, a Linux vulnerability that cannot be exploited unless the application uses Cpio to extract untrusted archives. Although exploitation requires a vulnerable version of Cpio, due to CVE-2015-1197 almost any Linux system is vulnerable unless Pax is installed.
Although there is no patch for the latest CVE-2022-41352 issue, the Zimbra developers have already acknowledged the vulnerability and offered a temporary solution to protect against it. In fact, the company advises to simply replace Cpio with the Pax utility.
The company promises to make Pax mandatory with the release of the next patch, which should completely solve the problem.
Moreover, Rapid7 points out that many Linux distributions officially supported by Zimbra still do not install Pax by default. These include Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8. Older Ubuntu LTS releases 18.04 and 20.04 include Pax, but the package was removed in version 22.04.