A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild.
The bug was assigned the tracker CVE-2022-41352 in late September. Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system.
Zimbra, once known as the Zimbra Collaboration Suite (ZCS), is an open source email suite. The software is relied upon by millions of users and is designed for managing enterprise and SMB email and collaboration tools.
According to Rapid7’s AttackerKB project, CVE-2022-41352 is an RCE that “arises from unsafe usage of the cpio utility, specifically from Zimbra’s antivirus engine’s (Amavis) use of the vulnerable cpio utility to scan inbound emails”.
To launch a successful attack, a threat actor would need to email a .cpio, .tar, or .rpm file to a vulnerable server. Amavis would then scan the message for malware and use the cpio file utility to extract its content.
However a ‘loophole’ exists where attackers could leverage cpio to write to a target folder, or as Rapid7 says, “write to any path on the filesystem that the Zimbra user can access”.
Once inside, for example, an attacker may be able to extract emails, tamper with user accounts, wipe information, or conduct Business Email Compromise (BEC) scams.
Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 builds are vulnerable.
‘Effectively identical’
Rapid7 researchers noted that CVE-2022-41352 is “effectively identical” to CVE-2022-30333, a path traversal bug in RarLab’s unrar binary which also triggers an RCE in Zimbra. The only difference appears to be the file type (.cpio, instead of .rar).
According to Rapid7 researcher Ron Bowes, the vulnerability is an exploit path for CVE-2015-1194, a bug that was patched in 2019. However, it appears that some distributions unintentionally remove the fix.
A Zimbra forum post indicates that the vulnerability is being actively exploited in the wild. Proof of concept (PoC) exploit code has been released.
Zimbra has acknowledged the vulnerability and says that a fix is being developed. In the meantime, Zimbra is urging users to install the pax package immediately and restart Zimbra as a workaround.
Pax is used for reading or writing archived file content and is not vulnerable to this exploit – but, unfortunately, Pax is not included by default. If Pax has not been installed, Amavis will resort to using cpio, and Zimbra says the “poor implementation” of this process that created the vulnerability in the first place.
Zimbra intends to remove the cpio dependency and make Pax a requirement.
There’s better news for Ubuntu users – Pax is installed by default in Ubuntu 20.04, and in Ubuntu 18.04, a custom patch issued for cpio provides protection.
The Daily Swig has reached out to Zimbra with additional queries and will update this story if and when we hear back.
