A extreme distant code execution vulnerability in Zimbra’s enterprise collaboration software program and e-mail platform is being actively exploited, with no patch presently accessible to remediate the problem.
The shortcoming, assigned CVE-2022-41352, carries a critical-severity ranking of CVSS 9.8, offering a pathway for attackers to add arbitrary information and perform malicious actions on affected installations.
“The vulnerability is as a result of methodology (cpio) through which Zimbra’s antivirus engine (Amavis) scans inbound emails,” cybersecurity agency Rapid7 stated in an evaluation revealed this week.
The difficulty is alleged to have been abused since early September 2022, in line with particulars shared on Zimbra boards. Whereas a repair is but to be launched, the software program providers firm is urging customers to put in the “pax” utility and restart the Zimbra providers.
“If the pax package deal isn’t put in, Amavis will fall-back to utilizing cpio, sadly the fall-back is applied poorly (by Amavis) and can enable an unauthenticated attacker to create and overwrite information on the Zimbra server, together with the Zimbra webroot,” the corporate stated final month.
The vulnerability, which is current in variations 8.8.15 and 9.0 of the software program, impacts a number of Linux distributions comparable to Oracle Linux 8, Crimson Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8, except for Ubuntu on account of the truth that pax is already put in by default.
A profitable exploitation of the flaw requires an attacker to e-mail an archive file (CPIO or TAR) to a inclined server, which is then inspected by Amavis utilizing the cpio file archiver utility to extract its contents.
“Since cpio has no mode the place it may be securely used on untrusted information, the attacker can write to any path on the filesystem that the Zimbra consumer can entry,” Rapid7 researcher Ron Bowes stated. “The almost certainly end result is for the attacker to plant a shell within the net root to realize distant code execution, though different avenues doubtless exist.”
Zimbra stated it expects the vulnerability to be addressed within the subsequent software program patch, which can take away the dependency on cpio and as a substitute make pax a requirement. Nonetheless, it has not provided a selected timeframe by when the repair will likely be accessible.
Rapid7 additionally famous that CVE-2022-41352 is “successfully equivalent” to CVE-2022-30333, a path traversal flaw within the Unix model of RARlab’s unRAR utility which got here to gentle earlier this June, the one distinction being that the brand new flaw leverages CPIO and TAR archive codecs as a substitute of RAR.
Much more troublingly, Zimbra is alleged to be additional susceptible to a different zero-day privilege escalation flaw, which might be chained with the cpio zero-day to attain distant root compromise of the servers.
The truth that Zimbra has been a preferred goal for risk actors is in no way new. In August, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned of adversaries exploiting a number of flaws within the software program to breach networks.