Last updated at Tue, 11 Oct 2022 20:16:41 GMT

Note: Zimbra release 9.0.0 P27 addressed this vulnerability on October 10, 2022.

CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation. The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails. Zimbra has provided a workaround, which is to install the pax utility and restart the Zimbra services. Note that pax is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.

Note: This vulnerability, CVE-2022-41352 is effectively identical to CVE-2022-30333 but leverages a different file format (.cpio and .tar as opposed to .rar). It is also a byproduct of a much older (unfixed) vulnerability, CVE-2015-1197. While the original CVE-2015-1197 affects most major Linux distros, our research team found that it is not exploitable unless a secondary application – such as Zimbra, in this case – uses cpio to extract untrusted archives; therefore, this blog is only focusing on Zimbra CVE-2022-41352.

Rapid7 has published technical documentation, including proof-of-concept (PoC) and indicator-of-compromise (IoC) information, regarding CVE-2022-41352 on AttackerKB.

Background

To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.

As of October 6, 2022, CVE-2022-41352 is not patched, but Zimbra has acknowledged the risk of relying on cpio in a blog post where they recommend mitigations. CVE-2022-41352 was discovered in the wild due to active exploitation. Recently, CISA and others have warned of multiple threat actors leveraging other vulnerabilities in Zimbra, which makes it likely that threat actors would logically move to exploit this latest unpatched vulnerability, too. In August, Rapid7 reported on the active exploitation of multiple vulnerabilities in Zimbra Collaboration Suite.

Affected products

Please note that information on affected versions or requirements for exploitability may change as we learn more about the threat.

To be exploitable, two conditions must exist:

  1. A vulnerable version of cpio must be installed, which is the case on basically every system (see CVE-2015-1197)
  2. The pax utility must not be installed, as Amavis prefers pax and pax is not vulnerable

Unfortunately, pax is not installed by default on Red Hat-based distros, and therefore they are vulnerable by default. We tested all (current) Linux distros that Zimbra officially supports in their default configurations and determined the following:

Linux Distro Vulnerable?
Oracle Linux 8 Vulnerable
Red Hat Enterprise Linux 8 Vulnerable
Rocky Linux 8 Vulnerable
CentOS 8 Vulnerable
Ubuntu 20.04 Not vulnerable (pax is installed by default)
Ubuntu 18.04 Not vulnerable (pax is installed, cpio has Ubuntu's custom patch)

Zimbra says that their plan is to remove the dependency on cpio entirely by making pax a prerequisite for Zimbra Collaboration Suite. Moving to pax is the best option since cpio cannot be used securely (because most major operating systems removed a security patch).

Remediation

Zimbra released a patch for CVE-2022-41352 on October 10, 2022. The patched version is Zimbra Collaboration Suite 9.0.0 P27. Organizations that use Zimbra should update immediately, without waiting for a regular patch cycle.

If you are unable to update your Zimbra version, you can apply Zimbra's recommended workaround, which is to install the pax archive utility, then restart Zimbra or reboot. We strongly recommend patching, as 9.0.0 P27 also resolves several other vulnerabilities, including CVE-2022-37393, a root privilege escalation.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-41352 via an authenticated vulnerability check (supported by agent and scanner based assessments) available in the October 6 content release (ContentOnly-content-1.1.2667-202210061843). This check will identify systems with an affected version of Zimbra Collaboration Suite installed where the pax package is not available. There is no change required to the default scan templates to enable this check.

Our engineering team is working on updated vulnerability checks to account for the newly released patch.

Updates

October 6, 2022, 3:30pm ET: Updated to include information on the newly released InsightVM/Nexpose check for CVE-2022-41352.

October 11, 2022: Zimbra has released Zimbra Collaboration Suite 9.0.0 P27 to address this vulnerability, as well as other security issues. Our engineering team is working on updating our vulnerability checks to account for the patch.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.