Unpatched Zimbra RCE bug exploited by attackers (CVE-2022-41352)

A nonetheless unpatched vulnerability (CVE-2022-41352) in Zimbra Collaboration is being exploited by attackers to realize distant code execution on susceptible servers.

About the vulnerability

Zimbra Collaboration (previously Zimbra Collaboration Suite) is cloud-hosted collaboration software program suite that additionally consists of an e-mail server element and an internet shopper element.

CVE-2022-41352 exists because of Zimbra’s Amavis antivirus engine utilizing the cpio methodology to scan inbound emails.

“CVE-2022-41352 is successfully similar to CVE-2022-30333 however leverages a distinct file format (.cpio and .tar versus .rar). It can be a byproduct of a a lot older (unfixed) vulnerability, CVE-2015-1197,” defined Ron Bowes, a safety researcher with Rapid7.

To neutralize the hazard of CVE-2022-41352 getting exploited, Synacor (the corporate creating Zimbra) advised directors to put in another bundle referred to as pax on affected servers and to restart them, in order that Amavis can swap to utilizing it as a substitute of cpio.

“This subject may also be addressed within the subsequent Zimbra patch the place we are going to make pax a requirement of Zimbra,” they added, however didn’t say when that patch can be launched.

CVE-2022-41352 exploitation

First situations of in-the-wild exploitation had been flagged in early September and, a couple of days later Synacor shared the above talked about workaround.

If Zimbra is working on Ubuntu 20.04 or 18.04, admins don’t must do something, however Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8 and CentOS 8 are susceptible to assault and will implement the workaround.

Last Thursday, Rapid7 published extra technical details about the flaw, and shared proof-of-concept exploit code and indicators of compromise (IoCs) enterprise defenders can use.

Security-wise, this has been a foul 12 months for Zimbra and its customers: as documented in this CISA alert, 5 different vulnerabilities have been exploited by attackers for the reason that starting of the 12 months, and now CVE-2022-41352.

“It’s probably not [Synacor’s] fault, they use Amavis which makes use of cpio which is susceptible to CVE-2015-1197, however the assault floor for incoming emails is HUGE. Not to say, that is one in every of a number of vulnerabilities this 12 months that was being exploited within the wild earlier than being found, which suggests Zimbra is an energetic goal for the Bad Guys,” Bowes noted.

“If you’re nonetheless utilizing Zimbra, you would possibly wish to critically rethink. I betcha there are others, they usually’re most likely being exploited.”