Unpatched Zimbra RCE bug exploited by attackers (CVE-2022-41352)

A still unpatched vulnerability (CVE-2022-41352) in Zimbra Collaboration is being exploited by attackers to achieve remote code execution on vulnerable servers.

About the vulnerability

Zimbra Collaboration (formerly Zimbra Collaboration Suite) is cloud-hosted collaboration software suite that also includes an email server component and a web client component.

CVE-2022-41352 exists due to Zimbra’s Amavis antivirus engine using the cpio method to scan inbound emails.

“CVE-2022-41352 is effectively identical to CVE-2022-30333 but leverages a different file format (.cpio and .tar as opposed to .rar). It is also a byproduct of a much older (unfixed) vulnerability, CVE-2015-1197,” explained Ron Bowes, a security researcher with Rapid7.

To neutralize the danger of CVE-2022-41352 getting exploited, Synacor (the company developing Zimbra) advised administrators to install an alternative package called pax on affected servers and to restart them, so that Amavis can switch to using it instead of cpio.

“This issue will also be addressed in the next Zimbra patch where we will make pax a requirement of Zimbra,” they added, but did not say when that patch will be released.

CVE-2022-41352 exploitation

First instances of in-the-wild exploitation were flagged in early September and, a few days later Synacor shared the above mentioned workaround.

If Zimbra is running on Ubuntu 20.04 or 18.04, admins don’t have to do anything, but Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8 and CentOS 8 are vulnerable to attack and should implement the workaround.

Last Thursday, Rapid7 published additional technical information about the flaw, and shared proof-of-concept exploit code and indicators of compromise (IoCs) enterprise defenders can use.

Security-wise, this has been a bad year for Zimbra and its users: as documented in this CISA alert, five other vulnerabilities have been exploited by attackers since the beginning of the year, and now CVE-2022-41352.

“It’s not really [Synacor’s] fault, they use Amavis which uses cpio which is vulnerable to CVE-2015-1197, but the attack surface for incoming emails is HUGE. Not to mention, this is one of several vulnerabilities this year that was being exploited in the wild before being discovered, which means Zimbra is an active target for the Bad Guys,” Bowes noted.

“If you’re still using Zimbra, you might want to seriously reconsider. I betcha there are others, and they’re probably being exploited.”

UPDATE (October 14, 2022, 10:20 a.m. ET):

Kaspersky researchers say that they were “able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is systematically infecting all vulnerable servers in Central Asia.”