An unpatched code execution vulnerability in the Zimbra Collaboration software is being actively exploited by attackers using the attacks on backdoor servers.
The attacks began no later than September 7, when a Zimbra customer reported a few days later that a server running the company’s spam filtering engine had processed an email containing a malicious attachment. Within seconds, the scanner copied a malicious Java file to the server and then executed it. With that, the attackers had installed a web shell, with which they could then log in and take control of the server.
Zimbra has not yet released a patch that fixes the vulnerability. Instead, the company has published this guideline advising customers to ensure that a file archiving program known as pax is installed. Unless pax is installed, Amavis handles incoming attachments with cpio, an alternative archiving tool with known vulnerabilities that have never been fixed.
“If the pax package is not installed, Amavis will fall back to using cpio,” writes Zimbra employee Barry de Graaff. “Unfortunately, the fallback is poorly implemented (by Amavis) and an unauthenticated attacker will create and overwrite files on the Zimbra server, including the Zimbra web root.”
The post went on to explain how to install pax. The utility is loaded by default on Ubuntu distributions of Linux, but must be installed manually on most other distributions. The Zimbra vulnerability is tracked as CVE-2022-41352.
The zero-day vulnerability is a byproduct of CVE-2015-1197, a known directory traversal vulnerability in cpio. Researchers at security firm Rapid7 recently said the flaw can only be exploited when Zimbra or another secondary application uses cpio to extract untrusted archives.
Rapid7 researcher Ron Bowes wrote:
To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. Because cpio does not have a mode in which it can be safely used on untrusted files, the attacker can write to any path on the file system that the Zimbra user can access. The most likely outcome is that the attacker puts a shell in the webroot to get remote code execution, although there are likely other possibilities.
Bowes further clarified that two conditions must exist for CVE-2022-41352:
A vulnerable version of cpio must be installed, which is the case on almost every system (see CVE-2015-1197) The pax utility should not be installed as Amavis prefers pax and pax is not vulnerable
Bowes said CVE-2022-41352 is “effectively identical” to CVE-2022-30333, another Zimbra vulnerability that was actively exploited two months ago. While CVE-2022-41352 exploits use files based on the cpio and tar compression formats, the older attacks used tar files.
In last month’s post, Zimbra’s de Graaff said the company plans to make pax a requirement of Zimbra. That will remove the dependency on cpio. In the meantime, however, the only option to mitigate the vulnerability is to install pax and then restart Zimbra.
Even then, at least some risk, theoretical or otherwise, could remain, researchers at security firm Flashpoint warned.
“For Zimbra Collaboration instances, only servers that did not have the ‘pax’ package installed were affected,” company researchers warned. “But other applications can also use cpio on Ubuntu. However, we are currently not aware of other attack vectors. Since the vendor has clearly marked CVE-2015-1197 in version 2.13 as fixed, Linux distributions need to be careful with those vulnerability patches – and don’t just roll back.”