Hackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely deployed web client and email server.
The zero-day vulnerability is tracked as CVE-2022-41352, rated critical (CVSS v3 score: 9.8), and allows an attacker to upload arbitrary files through “Amavis” (email security system).
Successful exploitation of the vulnerability allows an attacker to overwrite the Zimbra webroot, implant shellcode, and access other users’ accounts.
The vulnerability was discovered as a zero-day at the start of September when admins posted details of attacks on Zimbra forums.
Caused by insecure usage of cpio
The root cause of the vulnerability is using the ‘cpio’ file archiving utility to extract archives when Amavis scans a file for viruses.
The cpio component has a flaw that allows an attacker to create archives that can be extracted anywhere on a filesystem accessible to Zimbra.
When an email is sent to a Zimbra server, the Amavis security system will extract the archive to perform a virus scan of its contents. However, if it extracts a specially crafted .cpio, .tar, or .rpm archive, the contents could be extracted to the Zimbra webroot.
Using this vulnerability, an attacker could deploy web shells to the Zimbra root, effectively giving them shell access to the server.
Zimbra released a security advisory on September 14 to warn system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace cpio, which is the vulnerable component.
“If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot,” warned the September security advisory.
“For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed.”
Installing Pax is enough to mitigate the problem as Amavis prefers it over cpio automatically, so no further configuration is required.
Vulnerability actively exploited
While the vulnerability has been actively exploited since September, a new report by Rapid7 again sheds light on its active exploitation and includes a PoC exploit that allows attackers to create malicious archives easily.
Even worse, tests conducted by Rapid7 show that many Linux distributions officially supported by Zimbra still do not install Pax by default, making these installations vulnerable to the bug.
These distros include Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8. Ubuntu’s older LTS releases, 18.04 and 20.04, include Pax, but the package was removed in 22.04.
Since proof-of-concept (PoC) exploits have been publicly available for a while, the risk of not implementing the workaround is dire.
“In addition to this cpio 0-day vulnerability, Zimbra also suffers from a 0-day privilege escalation vulnerability, which has a Metasploit module. That means that this 0-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers,” further warn the researchers.
Zimbra plans to mitigate this issue decisively by deprecating cpio and making Pax a prerequisite for Zimbra Collaboration Suite, thus enforcing its use.
However, the risks remain for existing installations, so administrators need to take immediate action to protect their ZCS servers.