Home Security Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

by crpt os


A severe remote code execution vulnerability in Zimbra’s enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue.

The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected installations.

“The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails,” cybersecurity firm Rapid7 said in an analysis published this week.

CyberSecurity

The issue is said to have been abused since early September 2022, according to details shared on Zimbra forums. While a fix is yet to be released, Zimbra is urging users to install the “pax” utility and restart the Zimbra services.

“If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot,” the company said last month.

The vulnerability, which is present in versions 8.8.15 and 9.0 of the software, affects several Linux distributions such as Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8, with the exception of Ubuntu due to the fact that pax is already installed by default.

A successful exploitation of the flaw requires an attacker to email an archive file (CPIO or TAR) to a susceptible server, which is then inspected by Amavis using the cpio file archiver utility to extract its contents.

“Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access,” Rapid7 researcher Ron Bowes said. “The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.”

CyberSecurity

Zimbra said it expects the vulnerability to be addressed in the next Zimbra patch, which will remove the dependency on cpio and instead make pax a requirement. However, it has not offered a specific timeframe by when the fix will be available.

Rapid7 also noted that CVE-2022-41352 is “effectively identical” to CVE-2022-30333, a path traversal flaw in the Unix version of RARlab’s unRAR utility which came to light earlier this June, the only difference being that the new flaw leverages CPIO and TAR archive formats instead of RAR.

Even more troublingly, Zimbra is said to be further vulnerable to another zero-day privilege escalation flaw, which could be chained with the cpio zero-day to achieve remote root compromise of the servers.

The fact that Zimbra has been a popular target for threat actors is by no means new. In August, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of adversaries exploiting multiple flaws in the software to breach networks.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex