Zimbra Collaboration Suite (ZCS), a widely used web client and email server, has an unpatched zero-day remote code execution (RCE) vulnerability that hackers are known to be actively exploiting. The vulnerability is assigned with CVE-2022-41352 and is rated critical (CVSS v3 score: 9.8). This vulnerability exists due to a method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails.
The vulnerability allows an attacker to upload arbitrary files through “Amavis” (extraction to /opt/Zimbra/jetty/webapps/zimbra/public). Once the vulnerability is successfully exploited, it allows an attacker to access other users’ accounts, replace Zimbra’s webroot, and insert shellcodes.
An attacker would email a malicious .cpio, .tar, or .rpm file to a vulnerable server to exploit this issue. Amavis utilizes cpio (general file archiver utility) to extract the file before scanning it for malware. The attacker can write to any path on the filesystem which zimbra user can access, since cpio lacks a mode that prevents it from using untrusted files. Although there are probably more options, the most likely consequence is for the attacker to insert a shell into the web root to get remote code execution.
If the pax package is not installed, Amavis will fall-back to using cpio. Unfortunately the fallback is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.Zimbra
In addition to this zero-day vulnerability, Zimbra also suffers from a privilege escalation vulnerability, which is publicly disclosed. The zero-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers!
- Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0.
Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code.
Presently no solution is available; Zimbra said it would fix the vulnerability in an upcoming patch release. However, till then, the vendor has provided a workaround to mitigate this vulnerability; apply the workaround on high priority.
UPDATE: Zimbra has released the patch. Please update the Zimbra Collaboration Suite to version 9.0.0 Patch 27, 8.8.15 Patch 34, or later.
Zimbra asks the administrators to ensure that the pax package is installed on their Zimbra server. Amavis need Pax to extract the contents of compressed attachments for virus scanning.
pax the package is already installed for most Ubuntu servers, as a pre-requisite for Zimbra. Due to a packaging change in CentOS, there is a high chance
pax is not installed.
pax on all your systems as follows:
apt install pax
- CentOS 7 and derivatives
yum install pax
- CentOS 8 and derivatives
dnf install spax
- Restart Zimbra using the following:
sudo su zimbra -
Zimbra has assured that, it will address the issue in the next Zimbra patch by making pax as a pre-requisite.
SanerNow Network Scanner detects this vulnerability. Use SanerNow and keep your systems updated and secure.