Zimbra Zero-Day Flaw Exploited to Infect at Least 1,600 Servers with Web Shells

Patches have been released by Zimbra to fix an actively exploited flaw affecting Zimbra Collaboration (Zimbra Collaboration Suite). The critical flaw, tracked as CVE-2022-41352, is a remote code execution vulnerability affecting the cpio utility used by the Amavis open source content filter to scan and extract files. If the flaw is successfully exploited, an attacker can use the cpio package to gain incorrect access to any other user accounts. Zimbra said it “recommends pax over cpio.”

Exploitation of the flaw is possible by sending a specially crafted email with a TAR archive attachment. When the file is received, it is sent to Amavis to scan and extract the file and when the cpio module is used, the exploit is triggered. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

Kaspersky said it has detected exploitation of the flaw on 876 servers by unknown, advanced threat actors, with the exploitation occurring before the flaw was widely publicized. After exploiting the flaw and gaining access to the servers, a web shell is dropped on the server which allows various follow-on activities. Most of the servers were compromised in two waves in September, with one campaign seeing the threat actor systematically infect all vulnerable Zimbra servers in Central Asia.

According to Kaspersky, the attacks were a combination of targeted attacks on high-value targets such as government entities and companies in the IT and telecommunications sector, along with some opportunistic attacks. Most of the targets were in Asia, although the flaw has since been exploited globally. Exploitation has become more widespread since a proof-of-concept exploit for the flaw was uploaded to the Metasploit framework, which allowed less skilled hackers to start exploiting the flaw on vulnerable servers. Volexity estimates that around 1,600 vulnerable servers have been compromised and infected with web shells.

Zimbra has released Zimbra 9.0.0 Patch-27 and Zimbra 8.8.15 Patch-34 to fix CVE-2022-41352, which replaces cpio with Pax. The patches also include fixes for five medium-severity vulnerabilities (CVE-2022-37393, CVE-2022-41348, CVE-2022-41349, CVE-2022-41350, CVE-2022-41351).

Due to the extent to which the flaw is being exploited, admins are recommended to update their servers immediately or to use the workarounds recommended by Zimbra if the patch cannot be immediately applied.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news