Researchers say hackers are ‘likely’ to continue exploiting critical zero day in Zimbra Collaboration Suite
Researchers have offered more information about the critical unpatched Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite. The Critical Vulnerability – CVE-2022-41352 – was rated at 9.8 and was first publicly recognized by Zimbra as actively exploited in the wild in mid-September.
In a blog post yesterday Rapid7 researchers said because CISA and others recently notified multiple threat actors exploiting other vulnerabilities in Zimbra, it is likely that the threat actors would “logically move on to exploit” CVE-2022-41352, this latest unpatched vulnerability.
Rapid7 researchers explained that the vulnerability was caused because Zimbra’s antivirus engine uses the cpio utility to scan incoming emails. The cpio utility has a flaw that would allow hackers to create an archive that could access any file in Zimbra. Zimbra researchers have published a workaround in a Blog on September 14, which recommended installing the pax utility and restarting the Zimbra services.
John Bambenek, principal threat hunter at Netenrich, explained that this vulnerability works by sending a malicious compressed archive file (.cpio, .tar or .rpm) which would then overwrite system files with permission from the current Zimbra service of execution. He said he relies on cpio and an unpatched vulnerability, so Zimbra is preparing to use a more secure alternative.
“As mail servers inherently receive unreliable communications from the Internet, every installation, especially those on Red Hat-based operating systems, is vulnerable to attackers who simply send messages and drop files onto their files,” Bambenek said. “Users can install pax instead on vulnerable systems and restart their mail server to mitigate the threat.”