Hackers are actively attempting to exploit an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a popular web client and email server.
The CVE-2022-41352 zero-day security flaw is rated critical (CVSS v3 score: 9.8) and enables an attacker to upload arbitrary files via “Amavis” (email security system).
An attacker who successfully exploits the vulnerability can overwrite the Zimbra webroot, insert a shellcode, and gain access to other users’ accounts.
The zero-day vulnerability was discovered at the beginning of September when administrators posted details about attacks on Zimbra forums.
Due to insecure cpio usage
The vulnerability is caused by Amavis’ use of the ‘cpio’ file archiving utility to extract archives when scanning a file for viruses. An exploitable flaw in the cpio component enables an attacker to create archives that can be extracted anywhere on a Zimbra-accessible filesystem.
When an email is sent to a Zimbra server, the Amavis security system extracts the archive and scans its contents for viruses. If it extracts a specially crafted.cpio,.tar, or.rpm archive, the contents may be extracted to the Zimbra webroot. An attacker could exploit this vulnerability to deploy web shells to the Zimbra root, effectively giving them shell access to the server.
On September 14, Zimbra issued a security advisory advising system administrators to install Pax, a portable archiving utility, and restart their Zimbra servers to replace the vulnerable component, cpio.
Read the full article here