A zero-day remote code execution vulnerability, tracked as CVE-2022-41352, in the Zimbra Collaboration Suite, is being exploited in the wild by threat actors.
The recent attacks
Kaspersky researchers said that several unknown APT groups are actively exploiting the flaw in systems worldwide. Kaspersky observed two successive attack waves targeting this bug.
- The first wave, started in early September, was aimed at government entities in Asia.
- The second attack wave began on September 30 and was relatively massive as it went after all the vulnerable servers located in specific Central Asian countries.
- Volexity researchers have identified approximately 1,600 ZCS servers worldwide that are likely compromised via the exploitation of the flaw.
About the vulnerability
The vulnerability CVE-2022-41352 is rated as CVSS 9.8, and it was first disclosed in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 in September 2022.
On October 7, 2022, a proof of concept (PoC) for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.
How the vulnerability works
The vulnerability is due to the method (cpio utility) used by Zimbra’s antivirus engine (Amavis component) to scan the inbound emails.
- The underlying cause is another directory traversal vulnerability (CVE-2015-1197) in cpio, for which a fix was suggested.
- An attacker can upload jsp files into Web Client /public directory by simply sending in an email with a malicious attachment.
- The team managing the patch distribution apparently reverted the patch and used a vulnerable version instead. This results in a larger attack surface where any software relying on cpio might in theory be leveraged to take over the system.
Wrapping up
The Zimbra Suite bug could be abused to deliver malware, trojans, and even ransomware. Since Zimbra has released a patch as Zimbra Collaboration Suite 9.0.0 P27, users must update their devices to thwart possible attacks. Owners of Zimbra servers should check for traces of compromise meanwhile.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5b26_shutterstock_1267802392.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_141525853.jpg)
