Unpatched Zimbra flaw attacked allows hackers to hijack servers

An unpatched code execution vulnerability in Zimbra Collaboration software is being actively exploited by attackers using the backdoor server attacks.

The attacks began no later than September 7, when a Zimbra customer reported a few days later that a server running the company’s Amavis spam filtering engine had processed an email containing a malicious attachment. Within seconds, the scanner copied a malicious Java file to the server and then executed it. With this, the attackers had installed a web shell, which they could then use to log in and take control of the server.

Zimbra has not yet released a patch fixing the vulnerability. Instead, the company has released this guide which advises customers to ensure that a file archiver called pax is installed. Unless pax is installed, Amavis processes incoming attachments with cpio, another archiver that has known vulnerabilities that have never been fixed.

“If the pax package is not installed, Amavis will revert to using cpio,” wrote Zimbra employee Barry de Graaff. “Unfortunately the fallback is poorly implemented (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra web root.”

The message then explained how to install pax. The utility is loaded by default on Ubuntu distributions of Linux, but must be installed manually on most other distributions. The Zimbra vulnerability is tracked as CVE-2022-41352.

The zero-day vulnerability is a byproduct of CVE-2015-1197, a known directory traversal vulnerability in cpio. Researchers from security firm Rapid7 recently said the flaw is only exploitable when Zimbra or another secondary application uses cpio to extract untrusted archives.

Rapid7 researcher Ron Bowes wrote:

To exploit this vulnerability, an attacker would send an email to .cpio, .tarWhere .rpm to an assigned server. When Amavis scans it for malware, it uses cpio to extract the file. Since cpio does not have a mode where it can be used safely on untrusted files, the attacker can write to any file system path that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to achieve remote code execution, although other avenues likely exist.

Bowes then clarified that two conditions must exist for CVE-2022-41352:

1. A vulnerable version of cpio must be installed, which is the case on almost all systems (see CVE-2015-1197)
2. The pax utility must not be installed, as Amavis prefers pax and pax is not vulnerable

Bowes said CVE-2022-41352 is “effectively identical” to CVE-2022-30333, another Zimbra vulnerability that had an active exploit two months ago. While CVE-2022-41352 exploits use files based on cpio and tar compression formats, older attacks exploited tar files.

In last month’s post, Zimbra’s de Graaff said the company plans to make pax a Zimbra requirement. This will remove the cpio dependency. In the meantime, however, the only option to mitigate the vulnerability is to install pax and then restart Zimbra.

Even then, at least some risks, theoretical or otherwise, may remain, researchers at security firm Flashpoint warned.

“For Zimbra Collaboration instances, only servers that did not have the ‘pax’ package installed were affected,” the company’s researchers warned. “But other applications can also use cpio on Ubuntu. However, we are currently unaware of other attack vectors. Since the vendor has clearly marked CVE-2015-1197 in version 2.13 as fixed, distributions Linux should carefully manage these vulnerability patches – not just roll them back.”