An Unpatched Vulnerability in Zimbra Is Already under Attack

Unpatched vulnerability in Zimbra
Written by Emma Davis

Experts warn: an unpatched vulnerability in the Zimbra Collaboration Suite (ZCS), which received 9.8 points on the CVSS vulnerability rating scale, is already under attack, as users wrote about back in September.

Let me remind you that we also reported that Apple leaves critical bugs unpatched in macOS Big Sur and Catalina.

The bug allows attackers to upload arbitrary files and perform malicious actions on vulnerable ZCS installations.

0-day has been given the identifier CVE-2022-41352 and is associated with the method that the Zimbra antivirus engine (Amavis) uses when scanning incoming email messages. According to Rapid7 analysts, an attacker could exploit this vulnerability by mailing a specially crafted .cpio, .tar, or .rpm file to the affected server.

When Amavis checks a file for malware, it uses Cpio to extract the file. Since Cpio does not have a mode in which untrusted files can be safely used, an attacker can write to any path in the file system that the Zimbra user has access to.Rapid7 notes.

An attacker can also use the CVE-2022-41352 issue to place a shell in the root directory and achieve remote code execution. At the same time, the researchers believe that there are probably other ways of exploitation.

The new vulnerability is similar to another issue, CVE-2022-30333, which can be exploited using specially crafted RAR files. According to Rapid7, both issues are spin-offs of the old bug CVE-2015-1197, a Linux vulnerability that cannot be exploited unless the application uses Cpio to extract untrusted archives. Although exploitation requires a vulnerable version of Cpio, due to CVE-2015-1197 almost any Linux system is vulnerable unless Pax is installed.

Although there is no patch for the latest CVE-2022-41352 issue, the Zimbra developers have already acknowledged the vulnerability and offered a temporary solution to protect against it. In fact, the company advises to simply replace Cpio with the Pax utility.

All administrators should ensure that the Pax package is installed on their Zimbra server. Pax needs Amavis to extract the contents of compressed attachments for virus scanning. If the Pax package is not installed, Amavis will be used by Cpio, and unfortunately this fallback is not implemented correctly by Amavis and allows an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra website.said developers.

The company promises to make Pax mandatory with the release of the next patch, which should completely solve the problem.

Moreover, Rapid7 points out that many Linux distributions officially supported by Zimbra still do not install Pax by default. These include Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8. Older Ubuntu LTS releases 18.04 and 20.04 include Pax, but the package was removed in version 22.04.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply