A zero-day flaw has been discovered in Zimbra Collaboration Suite, a collaborative suite that acts as a mail server. By exploiting this vulnerability, an attacker can compromise a remote Zimbra server.
Associated with the reference CVE-2022-41352this vulnerability inherits a CVSSv3 score of 9.8 out of 10, making it a critical security breach. It allows an attacker to download arbitrary files through the Amavis security feature, which is used to scan incoming and outgoing emails. By exploiting this vulnerability, the attacker can override Zimbra’s webroot, execute shellcode, and gain access to other users’ accounts.
The origin of this security flaw has been identified: it is the “cpio” archiving utility, used by the Amavis function when a virus scan is performed on a file. The cpio tool contains a flaw that allows an attacker to create special archives (archives .CPIO, .TAR ou .RPM) that can be extracted anywhere on a filesystem accessible to Zimbra.
On the Zimbra forum, we have been talking about this zero-day vulnerability since the beginning of September 2022following attacks noted by certain system administrators of the Zimbra solution (see an example here).
Following this alert, Zimbra released a security advisory on September 14 to ask administrators to install Pax, another archiving utility, to replace the vulnerable “cpio” tool. The transition is automatic after reboot. In Zimbra’s security bulletin, it says: “If the pax package is not installed, Amavis will fall back on using cpio, unfortunately this solution is poorly implemented (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.“
On CentOS, chances are that Pax is not installed by default, and therefore cpio is used, while on Ubuntu it is a dependency, depending on versions. But, if in doubt, it is better to check if you are using the Zimbra suite because according to a report by Rapid7many distributions like Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8 and CentOS 8 do not have the “pax” package. While on the Ubuntu side, older LTS versions of Ubuntu i.e. 18.04 and 20.04 include Pax but the package was removed in 22.04. Going forward, Zimbra will mandate the use of Pax for new installations.
#zeroday #flaw #exploited #Zimbra