Hackers are Actively Exploiting 5 Vulnerabilities in the Zimbra Collaboration Suite

Five vulnerabilities have been identified in the Zimbra Collaboration Suite (ZCS) that are being actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency has recently issued a security advisory to raise awareness of the flaws and to share mitigations to reduce the risk of compromise. ZCS is used by more than 200,000 businesses worldwide.

The first vulnerability – tracked as CVE-2022-27924 (CVSS 7.5) – was discovered by researchers at SonarSource and is a high-severity vulnerability that allows malicious actors to inject arbitrary memcache commands into vulnerable ZCS instances, causing an overwrite of arbitrary cached entries. By exploiting the flaw, an attacker can steal ZCS email account credentials in cleartext without any user interaction required. If an organization has not implemented multifactor authentication, email accounts can be accessed, data in the accounts can be stolen, and organizations will be at risk of spear phishing, social engineering, and business email compromise (BEC) attacks. The access could also be used to open web shells for persistent access.

The vulnerability was announced in March 2022 by SonarSource, patches were released to fix the flaw, and a proof-of-concept exploit is now in the public domain. The patch has been available for 3 months, but many organizations have been slow to update ZCS and the vulnerability is now being actively exploited in the wild on unpatched systems.

A high-severity dangerous file type upload flaw has been identified. The flaw – tracked as CVE-2022-27925 (CVSS 7.5) – affects releases 8.8.15 and 9.0 that have mboximport functionality to receive a ZIP archive and extract files from it. According to the Volexity Threat Research Team, the vulnerability is being chained with a critical authentication bypass vulnerability – CVE-2022-37042 (CVSS 9.8) – and has been exploited since at least June 2022. Initially, the flaw was exploited by nation-state threat actors but is now being exploited by a much wider group of threat actors in mass exploitation attempts. Threat actors are exploiting the flaw and deploying web shells on vulnerable servers to achieve persistent access.

A high severity directory traversal vulnerability – CVE-2022-30333 (CVSS 7.5) has been identified in RARLAB UnRAR on Linux and UNIX by SonarSource researchers. The flaw allows a malicious actor to write to files during an extract operation. The flaw can be exploited by sending a specially crafted email containing a malicious RAR file. The ZCS server automatically extracts the RAR file to check for spam or malware, allowing the vulnerability to be exploited. Systems with unrar installed are vulnerable. CISA says a Metasploit module is available that creates a RAR file that can be emailed to a ZCS server to exploit the vulnerability.

The fifth vulnerability is a medium severity flaw in ZCS webmail clients prior to 8.8.15 patch 30 – tracked as CVE-2022-24682 (CVSS 6.1). This is a cross-site scripting vulnerability that allows a threat actor to steal session cookies. The vulnerability was identified by researchers at Volexity and is known to be actively exploited.

To prevent exploitation of the flaws, all Zimbra Collaboration Suite users should ensure they are running the latest ZCS releases.  CISA also recommends maintaining and testing an incident response plan, ensuring a robust vulnerability management program is in place, properly configuring and securing Internet-facing network devices, and adopting zero trust principles.

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) will update the security advisory to include further indicators of compromise (IOCs) and signatures as further information becomes available.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news