A critical-severity, remote code execution vulnerability in Zimbra’s enterprise collaboration software and email platform is being actively exploited, with no patch currently available for the issue, warn researchers.
The flaw (CVE-2022-41352) in version 8.8.15 and 9.0 of the Zimbra Collaboration Suite was first disclosed on Sept. 25 after it was discovered due to active exploitation, but a patch has still not been issued as of Oct. 6, Rapid7 researchers said in a Thursday analysis. Researchers said the flaw stems from the method in which Zimbra’s Amavis spam-filtering engine scans inbound emails. Specifically, the scanning involves the cpio utility, which is vulnerable to remote code execution.
“To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server,” said Ron Bowes with Rapid7 in an analysis. “When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files… the attacker can write to any path on the filesystem that the zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.”
In order to be vulnerable, a user must have a vulnerable version of cpio installed (which researchers said is the case on most systems) and the pax archive utility package must not be installed, as this package is not vulnerable, said researchers. The pax package is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default, said researchers; However, they said pax is not installed by default on Red Hat-based distros, making them vulnerable. While further information about the breadth of exploitation is not available, Bowes pointed to instances of exploitation that have been reported in Zimbra support forums.
In a security release, Zimbra said that “this issue will be addressed in the next Zimbra patch,” which will remove the dependency on cpio and instead make pax a prerequisite. However, Zimbra did not offer a specific timeframe for when this patch would be available. Zimbra also urged customers to apply mitigations for the flaw by installing the pax package.
“Pax is needed by Amavis to extract the contents of compressed attachments for virus scanning,” according to the advisory. “If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.”
Researchers noted that the flaw is “effectively identical” to another vulnerability (CVE-2022-30333) in RARlab’s unRAR utility that could lead to remote code execution; however, this more recent flaw uses a different file format by relying on .cpio as opposed to .rar components. The flaw is also a byproduct of a seven-year-old vulnerability (CVE-2015-1197) that never received a fix, said Bowes. However, “while the original CVE-2015-1197 affects most major Linux distros, our research team found that it is not exploitable unless a secondary application – such as Zimbra, in this case – uses cpio to extract untrusted archives; therefore, this blog is only focusing on Zimbra CVE-2022-41352,” he said.
Zimbra’s Collaboration Suite has been a popular target for threat actors, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August warning that attackers were exploiting multiple, previously disclosed Zimbra flaws. CISA highlighted CVE-2022-27925 and CVE-2022-37042 as being targeted, as well as exploitation efforts against a known high-severity flaw (CVE-2022-27924) that enables an unauthenticated bad actor to inject memcache commands into targeted Zimbra instances.