Zimbra Remote Code Execution Vulnerability Actively Exploited in the Wild

Mitigation advice provided during patch development

A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild.

The bug has been attributed to the tracker CVE-2022-41352 end of September. With a CVSS severity score of 9.8, the critical issue can be exploited to directly crash a shell into the root of the software, achieving RCE and allowing attackers to wreak havoc on a vulnerable system.

Zimbra, formerly known as Zimbra Collaboration Suite (ZCS), is an open source messaging suite. The software is used by millions of users and is designed to manage enterprise and SMB messaging and collaboration tools.

Learn about the latest news on web security vulnerabilities

According Rapid7’s AttackerKB projectCVE-2022-41352 is an RCE that “results from insecure use of the cpio utility, specifically Zimbra’s (Amavis) antivirus engine’s use of the vulnerable cpio utility to scan emails incoming”.

To launch a successful attack, a threat actor would need to email a file, or to a vulnerable server. Amavis would then scan the message for malware and use the cpio file utility to extract its contents.

However, there is a “loophole” where attackers could take advantage to write to a target folder, or as Rapid7 puts it, “write to any filesystem path that the Zimbra user can access”.

Once inside, for example, an attacker may be able to extract emails, tamper with user accounts, erase information, or run Business Email Compromise (BEC) scams.

Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8 builds are vulnerable.

“Effectively identical”

Rapid7 researchers noted that CVE-2022-41352 is “effectively identical” to CVE-2022-30333, a path traversal bug in RarLab’s unrar binary that also triggers an RCE in Zimbra. The only difference seems to be the file type (, instead of).

According to Rapid7 researcher Ron Bowes, the vulnerability is an exploit path for CVE-2015-1194, a bug that was patched in 2019. However, it appears that some distros are unintentionally removing the patch.

A Zimbra forum post indicates that the vulnerability is being actively exploited in the wild. The proof-of-concept (PoC) exploit code has been released.

Zimbra has acknowledged the vulnerability and says a fix is ​​in development. In the meantime, Zimbra urges users to immediately install the pax package and restart Zimbra as a workaround.

Pax is used to read or write the contents of archived files and is not vulnerable to this exploit – but, unfortunately, Pax is not included by default. If Pax has not been installed, Amavis will fall back to cpio, and Zimbra says the “poor implementation” of this process created the vulnerability in the first place.

Zimbra intends to remove the cpio dependency and make Pax a requirement.

There is better news for Ubuntu users – Pax is installed by default in Ubuntu 20.04, and in Ubuntu 18.04 a custom patch released for cpio provides protection.

The daily sip has reached out to Zimbra with additional questions and will update this story if and when we hear.

RECOMMENDED The policy-as-code approach against “cloud-native” security risks

Previous Flashback: Smartphone camera sensors have gotten not only bigger, but also smarter
Next How Precision and Accuracy Help Legal Research