Hackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely deployed web client and email server.
The zero-day vulnerability is tracked as CVE-2022-41352, rated critical (CVSS v3 score: 9.8), and allows an attacker to upload arbitrary files through “Amavis” (email security system).
Successful exploitation of the vulnerability allows an attacker to overwrite the Zimbra webroot, implant shellcode, and access other users’ accounts.
Successful exploitation of the vulnerability allows an attacker to overwrite the Zimbra webroot, implant shellcode, and access other users’ accounts.
Vulnerability actively exploited
While the vulnerability has been actively exploited since September, a new report by Rapid7 again sheds light on its active exploitation and includes a PoC exploit that allows attackers to create malicious archives easily.
Even worse, tests conducted by Rapid7 show that many Linux distributions officially supported by Zimbra still do not install Pax by default, making these installations vulnerable to the bug.
These distros include Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8. Ubuntu’s older LTS releases, 18.04 and 20.04, include Pax, but the package was removed in 22.04.
Since proof-of-concept (PoC) exploits have been publicly available for a while, the risk of not implementing the workaround is dire.
“In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers,” further warn the researchers.
Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.
However, the risks remain for existing installations, so administrators need to take immediate action to protect their ZCS servers.