A extreme distant code execution vulnerability in Zimbra’s enterprise collaboration software program and e mail platform is being actively exploited, with no patch at present out there to remediate the difficulty.
The shortcoming, assigned CVE-2022-41352, carries a critical-severity ranking of CVSS 9.8, offering a pathway for attackers to add arbitrary information and perform malicious actions on affected installations.
“The vulnerability is because of the technique (cpio) during which Zimbra’s antivirus engine (Amavis) scans inbound emails,” cybersecurity agency Rapid7 mentioned in an evaluation revealed this week.
The problem is alleged to have been abused since early September 2022, in response to particulars shared on Zimbra boards. Whereas a repair is but to be launched, Zimbra is urging customers to put in the “pax” utility and restart the Zimbra companies.
“If the pax package deal shouldn’t be put in, Amavis will fall-back to utilizing cpio, sadly the fall-back is applied poorly (by Amavis) and can enable an unauthenticated attacker to create and overwrite information on the Zimbra server, together with the Zimbra webroot,” the corporate mentioned final month.
The vulnerability, which is current in variations 8.8.15 and 9.0 of the software program, impacts a number of Linux distributions akin to Oracle Linux 8, Pink Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8, except for Ubuntu resulting from the truth that pax is already put in by default.
A profitable exploitation of the flaw requires an attacker to e mail an archive file (CPIO or TAR) to a inclined server, which is then inspected by Amavis utilizing the cpio file archiver utility to extract its contents.
“Since cpio has no mode the place it may be securely used on untrusted information, the attacker can write to any path on the filesystem that the Zimbra consumer can entry,” Rapid7 researcher Ron Bowes mentioned. “The more than likely final result is for the attacker to plant a shell within the internet root to achieve distant code execution, though different avenues doubtless exist.”
Zimbra mentioned it expects the vulnerability to be addressed within the subsequent Zimbra patch, which can take away the dependency on cpio and as a substitute make pax a requirement. Nevertheless, it has not provided a particular timeframe by when the repair will likely be out there.
Rapid7 additionally famous that CVE-2022-41352 is “successfully an identical” to CVE-2022-30333, a path traversal flaw within the Unix model of RARlab’s unRAR utility which got here to mild earlier this June, the one distinction being that the brand new flaw leverages CPIO and TAR archive codecs as a substitute of RAR.
Much more troublingly, Zimbra is alleged to be additional susceptible to a different zero-day privilege escalation flaw, which might be chained with the cpio zero-day to realize distant root compromise of the servers.
The truth that Zimbra has been a preferred goal for risk actors is in no way new. In August, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned of adversaries exploiting a number of flaws within the software program to breach networks.
