Zimbra remote code execution vulnerability actively exploited in the wild

by | Oct 11, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild.

The bug was assigned the tracker CVE-2022-41352 in late September. Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system.

Zimbra, once known as the Zimbra Collaboration Suite (ZCS), is an open source email suite. The software is relied upon by millions of users and is designed for managing enterprise and SMB email and collaboration tools.

According to Rapid7’s AttackerKB project, CVE-2022-41352 is an RCE that “arises from unsafe usage of the cpio utility, specifically from Zimbra’s antivirus engine’s (Amavis) use of the vulnerable cpio utility to scan inbound emails”.

To launch a successful attack, a threat actor would need to email a .cpio.tar, or .rpm file to a vulnerable server. Amavis would then scan the message for malware and use the cpio file utility to extract its content.

However a ‘loophole’ exists where attackers could leverage cpio to write to a target folder, or as Rapid7 says, “write to any path on the filesystem that the Zimbra user can access”.

Once inside, for example, an attacker may be able to extract emails, tamper with user accounts, wipe information, or conduct Business Email Compromise (BEC) scams.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 builds are vulnerable.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

‘Effectively identical’

 

Rapid7 researchers noted that CVE-2022-41352 is “effectively identical” to CVE-2022-30333, a path traversal bug in RarLab’s unrar binary which also triggers an RCE in Zimbra. The only difference appears to be the file type (.cpio, instead of .rar).

According to Rapid7 researcher Ron Bowes, the vulnerability is an exploit path for CVE-2015-1194, a bug that was patched in 2019. However, it appears that some distributions unintentionally remove the fix.

A Zimbra forum post indicates that the vulnerability is being actively exploited in the wild. Proof of concept (PoC) exploit code has been released.

Zimbra has acknowledged the vulnerability and says that a fix is being developed. In the meantime, Zimbra is urging users to install the pax package immediately and restart Zimbra as a workaround.

Pax is used for reading or writing archived file content and is not vulnerable to this exploit – but, unfortunately, Pax is not included by default. If Pax has not been installed, Amavis will resort to using cpio, and Zimbra says the “poor implementation” of this process that created the vulnerability in the first place.

Zimbra intends to remove the cpio dependency and make Pax a requirement.

There’s better news for Ubuntu users – Pax is installed by default in Ubuntu 20.04, and in Ubuntu 18.04, a custom patch issued for cpio provides protection.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: portswigger.net

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This