Zimbra Collaboration Suite (ZCS), a widely used web client and email server, has an unpatched zero-day remote code execution (RCE) vulnerability that hackers are known to be actively exploiting. The vulnerability is assigned with CVE-2022-41352 and is rated critical (CVSS v3 score: 9.8). This vulnerability exists due to a method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails. However, it is essential to have a vulnerability management software to detect and track such vulnerabilities.
CVE-2022-41352 vulnerability allows an attacker to upload arbitrary files through “Amavis” (extraction to /opt/Zimbra/jetty/webapps/zimbra/public). Once the vulnerability exploits successfully, it allows an attacker to access other users’ accounts, replace Zimbra’s webroot, and insert shellcodes. CVE-2022-41352 vulnerability can be patched using a patch management tool.
An attacker would email a malicious .cpio, .tar, or .rpm file to a vulnerable server to exploit this issue. Amavis utilizes cpio (general file archiver utility) to extract the file before scanning it for malware. The attacker can write to any path on the filesystem which zimbra user can access, since cpio lacks a mode that prevents it from using untrusted files. Although there are probably more options, the most likely consequence is for the attacker to insert a shell into the web root to get remote code execution.
If the pax package is not installed, Amavis will fall-back to using cpio. Unfortunately the fallback is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.Zimbra
In addition to this zero-day vulnerability, Zimbra also suffers from a privilege escalation vulnerability, disclosng it publicly. The zero-day in cpio can lead directly to a remote root compromise of Zimbra Collaboration Suite servers!
Affected Product’s by CVE-2022-41352
- Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0.
Impact of CVE-2022-41352
Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code.
Presently no solution is available; Zimbra said it would fix the vulnerability in an upcoming patch release. However, till then, the vendor has provided a workaround to mitigate this vulnerability; apply the workaround on high priority.
UPDATE: Zimbra has released the patch. Please update the Zimbra Collaboration Suite to version 9.0.0 Patch 27, 8.8.15 Patch 34, or later.
Zimbra asks the administrators to ensure by installing the pax package on their Zimbra server. Amavis need Pax to extract the contents of compressed attachments for virus scanning.
pax installs the package already for most Ubuntu servers, as a pre-requisite for Zimbra. Due to a packaging change in CentOS, there is a high chance
pax is not installed.
pax on all your systems as follows:
apt install pax
- CentOS 7 and derivatives
yum install pax
- CentOS 8 and derivatives
dnf install spax
- Restart Zimbra using the following:
sudo su zimbra -
Zimbra has assured that, it will address the issue (CVE-2022-41352) in the next Zimbra patch by making pax as a pre-requisite.