Zimbra-CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation. The vulnerability is due to the method (
cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails.
The vulnerability is initiated when Amavis, Zimbra’s antivirus engine, employs the cpio method to scan received malicious emails. It affects Zimbra’s Linux distributions that enable the vulnerable cpio method.
Affected Linux distributions are listed as:
- Oracle Linux 8
- Red Hat Enterprise Linux 8
- Rocky Linux 8
- CentOS 8
To exploit this vulnerability, an attacker would email a
.rpm to an affected server.
When Amavis inspects it for malware, it uses
cpio to extract the file. Since
cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.
Mitigation for vulnerability in Zimbra
Pax utility is Amavis’ preferred method before cpio, and is not vulnerable. If it is not already installed, installing the pax archive utility for used Zimbra services and doing a restart will mitigate the issue. Check out Zimbra’s blog to learn how to install the pax utility on affected Linux instances.