A severe zero day vulnerability has been discovered in the Zimbra Collaboration Suite (ZCS) that has been under active exploit prior to a patch being released.
Zimbra Collaboration Suite Zero-Day Vulnerability
Reportedly, an unpatched remote code execution flaw exists in the Zimbra Collaboration Suite (ZCS), exploiting which allows an attacker to inject shellcode and access users’ accounts. ZCS is a dedicated software suite including a web client and an email server.
The critical zero-day vulnerability (CVE-2022-41352, CVSS 9.8) first appeared online in September 2022, when Zimbra admins shared insights on Zimbra forums.
According to the post, the admins noticed how an adversary uploaded malicious files into the Web client by sending maliciously crafted emails. Although, the admins agreed to address the issue in the subsequent update. Yet, the patch remained pending until the time of writing this story. The comments on the post also suggest that the bug remained unpatched until late September, causing trouble for the user firms.
Elaborating on the vulnerability in a post, Rapid7 researchers stated that the flaw appeared due to how the Zimbra antivirus engine Amavis scans inbound emails via the cpio method. Exploiting the flaw requires an attacker to send an email with .cpio, .tar, or .rpm attachment to the target server. Then, when Amavis scans the attachment using cpio, it triggers the flaw. Sharing the reason behind this behavior, the researchers stated,
Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access.
No Patch Yet, But Workaround Available
While no specific patch is available for the vulnerability, Zimbra has shared a workaround in a separate advisory. Specifically, they urge the users to install the pax package on Zimbra servers.
Amavis requires the pax package to extract contents from compressed attachments while scanning. The absence of this package would cause a fallback to cpio, triggering the vulnerability. But the systems with pax package installed remain unaffected by the flaw.
Let us know your thoughts in the comments.