There is currently no patch available to fix a serious remote code execution vulnerability(RCE Flaw) in the enterprise collaboration software and email platform provided by Zimbra.
The flaw, designated CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, giving attackers a mechanism to upload arbitrary files. And perform malicious actions on vulnerable installations.
The vulnerability is caused by the way Zimbra’s antivirus engine (Amavis) examines incoming emails (cpio). According to research released this week by cybersecurity company Rapid7.
Details posted on Zimbra forums claim that the problem has been exploited since early September 2022. Zimbra is advising customers to install the “pax” software and restart the Zimbra services even though a remedy has not yet been made available.
An unauthenticated attacker will be able to create and overwrite files on the Zimbra server, including the Zimbra webroot. Thanks to a poorly constructed fallback by Amavis if the pax package is not installed, the company warned last month.
With the exception of Ubuntu, which comes with pax installed by default, the vulnerability, which exists in versions 8.8.15 and 9.0 of the programme. Affects a number of Linux variants. These include Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8.
The Issues
An archive file (CPIO or TAR) must be emailed to a server that is vulnerable in order to exploit the bug successfully. Amavis will then inspect the archive file and extract its contents using the cpio file archiver software.
The attacker can write to any path on the filesystem that the Zimbra user can access since cpio lacks an option that allows for secure use with untrusted files. According to Ron Bowes of Rapid7. Although there are probably additional options, the most likely result is for the attacker to install a shell in the web root to get remote code execution.
According to Zimbra, the vulnerability will be fixed in the upcoming Zimbra patch. Which will replace the reliance on cpio with a requirement for pax. It has not, however, provided a deadline by which the update would be accessible.
The sole difference between CVE-2022-41352 and CVE-2022-30333. A path traversal weakness in the Unix version of RARlab’s unRAR application that was discovered earlier this June. According to Rapid7, is that the new flaw makes use of the CPIO and TAR archive formats rather than RAR.
Zimbra is reportedly even more vulnerable to a zero-day privilege escalation weakness. Which may be combined with the cpio zero-day to compromise the servers’ root access remotely.
It is by no means a novel development that threat actors frequently target Zimbra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in August about adversaries using a variety of software bugs to break into networks.
