Unpatched RCE Vulnerability in Zimbra Actively Exploited

Home/Security Advisory, Security Update, vulnerability/Unpatched RCE Vulnerability in Zimbra Actively Exploited

Unpatched RCE Vulnerability in Zimbra Actively Exploited

Zimbra-CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation. The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails.

The vulnerability is initiated when Amavis, Zimbra’s antivirus engine, employs the cpio method to scan received malicious emails. It affects Zimbra’s Linux distributions that enable the vulnerable cpio method. 

Affected Linux distributions are listed as: 

  • Oracle Linux 8 
  • Red Hat Enterprise Linux 8 
  • Rocky Linux 8 
  • CentOS 8

To exploit this vulnerability, an attacker would email a .cpio.tar, or .rpm to an affected server.

When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.

Mitigation for vulnerability in Zimbra

Pax utility is Amavis’ preferred method before cpio, and is not vulnerable. If it is not already installed, installing the pax archive utility for used Zimbra services and doing a restart will mitigate the issue. Check out Zimbra’s blog to learn how to install the pax utility on affected Linux instances. 

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-10-10T21:12:07+05:30 October 10th, 2022|Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!