On October 13th Security researchers announced that Hackers breached many servers using Zimbra’s zero-day Vulnerability.
The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.
An investigation by Kaspersky Lab has revealed that an unknown persistent targeted attack group is actively exploiting this vulnerability and systematically infecting vulnerable servers in Central Asia.
This actively exploited vulnerability has been identified as CVE-2022-41352 and is rated Critical with a CVSSv3 score of 9.8. The vulnerability is affected by CVE-2015-1197, a component of Zimbra called “Amavis” and more specifically the cpio utility used to extract archives.
On October 7, 2022, the Rapid7 report warned about the active exploitation of CVE-2022-41352 and urged admins to apply the available workarounds since a security update wasn’t available then.
A proof of concept for this vulnerability is also added on the same day to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.
These steps the hacker followed in the CVE-2022-41352 Vulnerability exploit scenario:
- An attacker sends an e-mail with a malicious Tar archive attached.
- On receiving the e-mail, Zimbra submits it to Amavis for spam and malware inspection.
- Amavis analyzes the e-mail attachments and inspects the contents of the attached archive. It invokes cpio and CVE-2015-1197 are triggered.
- During the extraction, a JSP webshell is deployed on one of the public directories used by the webmail component. The attacker can browse the web shell to start executing arbitrary commands on the victim machine.
Zimbra released a security fix ” Zimbra Collaboration Suite 9.0.0 P27 ” on October 10, 2022, replacing the vulnerable component (cpio) with Pax and removing the weak part that made exploitation possible.
Users of Zimbra Collaboration Suite are advised to review the content and update to the latest version to fix the issue.
However, As soon as the vulnerability became public, the threat actors shifted gears and began to perform mass targeting, hoping to compromise as many servers worldwide as possible before admins patched the systems and shut the door to intruders.