Connect with us

Hi, what are you looking for?

Cyber Security

Zimbra remote code execution vulnerability actively exploited in the wild

A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild.

The bug was assigned the tracker CVE-2022-41352 in late September. Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system.

Zimbra, once known as the Zimbra Collaboration Suite (ZCS), is an open source email suite. The software is relied upon by millions of users and is designed for managing enterprise and SMB email and collaboration tools.

According to Rapid7’s AttackerKB project, CVE-2022-41352 is an RCE that “arises from unsafe usage of the cpio utility, specifically from Zimbra’s antivirus engine’s (Amavis) use of the vulnerable cpio utility to scan inbound emails”.

To launch a successful attack, a threat actor would need to email a .cpio, .tar, or .rpm file to a vulnerable server. Amavis would then scan the message for malware and use the cpio file utility to extract its content.

However a ‘loophole’ exists where attackers could leverage cpio to write to a target folder, or as Rapid7 says, “write to any path on the filesystem that the Zimbra user can access”.

Once inside, for example, an attacker may be able to extract emails, tamper with user accounts, wipe information, or conduct Business Email Compromise (BEC) scams.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 builds are vulnerable.

‘Effectively identical’
Rapid7 researchers noted that CVE-2022-41352 is “effectively identical” to CVE-2022-30333, a path traversal bug in RarLab’s unrar binary which also triggers an RCE in Zimbra. The only difference appears to be the file type (.cpio, instead of .rar).

According to Rapid7 researcher Ron Bowes, the vulnerability is an exploit path for CVE-2015-1194, a bug that was patched in 2019. However, it appears that some distributions unintentionally remove the fix.

A Zimbra forum post indicates that the vulnerability is being actively exploited in the wild. Proof of concept (PoC) exploit code has been released.

Zimbra has acknowledged the vulnerability and says that a fix is being developed. In the meantime, Zimbra is urging users to install the pax package immediately and restart Zimbra as a workaround.

Pax is used for reading or writing archived file content and is not vulnerable to this exploit – but, unfortunately, Pax is not included by default. If Pax has not been installed, Amavis will resort to using cpio, and Zimbra says the “poor implementation” of this process that created the vulnerability in the first place.

Zimbra intends to remove the cpio dependency and make Pax a requirement.

There’s better news for Ubuntu users – Pax is installed by default in Ubuntu 20.04, and in Ubuntu 18.04, a custom patch issued for cpio provides protection.

Advertisement. Scroll to continue reading.

The Daily Swig has reached out to Zimbra with additional queries and will update this story if and when we hear back.

Source: https://portswigger.net/daily-swig/zimbra-remote-code-execution-vulnerability-actively-exploited-in-the-wild

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

New capabilities in Google Workspace will help enterprises improve account and data security, by making unauthorized takeover of admin and user accounts and exfiltration...

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO