RCE vulnerability in Zimbra Collaboration Suite
CVE-2022-41352
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Unpatched Zero-Day RCE Vulnerability in Zimbra Collaboration Suite | Rapid7 Blog
NVD - CVE-2022-41352 (nist.gov)
Risks
A remote unauthenticated attacker can exploit 0-day vulnerability CVE-2022-41352 to gain unauthorized access to the server filesystem that the Zimbra user has access to.
The attack does not require any user interaction and can be executed remotely by sending an email with a malicious attachment. The impact to confidentiality, integrity and availability is high.
This vulnerability is actively exploited and Proof-of-Concept(PoC) exploit code is available
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Description
On October the 6th, Rapid7 has published an article describing CVE-2022-41352, a 0-day vulnerability in Zimbra Collaboration suite.
The vulnerability is a remote code execution flaw that arises from unsafe usage of the cpio utility. The cpio utility is used to extract email attachments for malware inspection.
An attacker could exploit CVE-2022-41352 by sending an email with a malicious attachment with an cpio, .tar, or .rpm extension. The extraction of this attachment leads to write access to the filesystem that hosts the Zimbra software. The permissions to the filesystem are those of the Zimbra user.
This vulnerability could likely be used to plant a shell in the web root to gain remote code execution
Affected products
Zimbra Collaboration Suite v8.8.15 and v9.0
Remark
There are 2 conditions for these products to be exploitable:
- A vulnerable version of “cpio” must be installed. This is installed by default on most systems
- The “pax” utility must not be installed
More info on vulnerable distros that Zimbra officially supports in their default configurations: CVE-2022-41352 | AttackerKB
Recommended Actions
Mitigate/workaround
• Customers can install the “pax” module which avoids using the vulnerable “cpio” module
• More info on Security Update - make sure to install pax/spax - Zimbra : Blog
Monitor/Detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.
Indicators of Attack
- Scan the log for .cpio, .tar or .rpm files. This might reveal exploitation attempts:
Path: /opt/zimbra/log/mailbox.log
o Remark:The attacker has the permissions to alter or delete the logs
- Check the system for a malicious webshell.
o Likely path: /opt/zimbra/jetty_base/webapps/...