A extreme distant code execution vulnerability in Zimbra’s enterprise collaboration software program and electronic mail platform is being actively exploited, with no patch at the moment accessible to remediate the problem.
The shortcoming, assigned CVE-2022-41352, carries a critical-severity score of CVSS 9.8, offering a pathway for attackers to add arbitrary information and perform malicious actions on affected installations.
“The vulnerability is because of the methodology (cpio) during which Zimbra’s antivirus engine (Amavis) scans inbound emails,” cybersecurity agency Rapid7 said in an evaluation revealed this week.
The problem is claimed to have been abused since early September 2022, in keeping with details shared on Zimbra boards. Whereas a repair is but to be launched, Zimbra is urging customers to put in the “pax” utility and restart the Zimbra providers.
“If the pax package shouldn’t be put in, Amavis will fall-back to utilizing cpio, sadly the fall-back is applied poorly (by Amavis) and can permit an unauthenticated attacker to create and overwrite information on the Zimbra server, together with the Zimbra webroot,” the corporate said final month.
The vulnerability, which is current in variations 8.8.15 and 9.0 of the software program, impacts a number of Linux distributions akin to Oracle Linux 8, Purple Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8, aside from Ubuntu as a result of the truth that pax is already put in by default.
A profitable exploitation of the flaw requires an attacker to electronic mail an archive file (CPIO or TAR) to a prone server, which is then inspected by Amavis utilizing the cpio file archiver utility to extract its contents.
“Since cpio has no mode the place it may be securely used on untrusted information, the attacker can write to any path on the filesystem that the Zimbra consumer can entry,” Rapid7 researcher Ron Bowes stated. “The most definitely end result is for the attacker to plant a shell within the net root to realize distant code execution, though different avenues doubtless exist.”
Zimbra stated it expects the vulnerability to be addressed within the subsequent Zimbra patch, which can take away the dependency on cpio and as a substitute make pax a requirement. Nonetheless, it has not provided a selected timeframe by when the repair will probably be accessible.
Rapid7 additionally famous that CVE-2022-41352 is “successfully equivalent” to CVE-2022-30333, a path traversal flaw within the Unix model of RARlab’s unRAR utility which got here to gentle earlier this June, the one distinction being that the brand new flaw leverages CPIO and TAR archive codecs as a substitute of RAR.
Much more troublingly, Zimbra is claimed to be additional weak to a different zero-day privilege escalation flaw, which could possibly be chained with the cpio zero-day to realize distant root compromise of the servers.
The truth that Zimbra has been a well-liked goal for risk actors is on no account new. In August, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned of adversaries exploiting a number of flaws within the software program to breach networks.