Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server.
The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via "Amavis" (email security system).
An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users' accounts.
The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.
Due to insecure cpio usage
The vulnerability is caused by Amavis' use of the 'cpio' file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.
When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.
On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Installing Pax solves the problem because Amavis prefers it over cpio by default, so no further configuration is required.
"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory.
"For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed."
Vulnerability is being actively exploited
While the vulnerability has been actively exploited since September, a new Rapid7 report sheds new light on its active exploitation and includes a proof-of-concept exploit that allows attackers to easily create malicious archives.
Worse, Rapid7 tests show that many Linux distributions officially supported by Zimbra still do not install Pax by default, leaving these installations vulnerable to the bug.
Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 are among these distributions. Pax was included in earlier LTS releases of Ubuntu, 18.04 and 20.04, but it was removed in 22.04. Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.
Since proof-of-concept (PoC) exploits have been publicly available for some time, the risk of failing to implement the workaround is severe. Zimbra intends to address this issue decisively by deprecating cpio and making Pax a requirement for Zimbra Collaboration Suite, thereby mandating its use.
"In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers," further warn the researchers.
However, the risks persist for existing installations, so administrators must act quickly to protect their ZCS servers.
