Hackers have hacked into hundreds of servers by exploiting the Zimbra CVE-2022-41352Security Affairs bug

Hackers have compromised hundreds of servers by exploiting critical flaw CVE-2022-41352 in Zimbra Collaboration Suite (ZCS).

Last week, researchers at Rapid7 warned of exploiting an unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352in the Zimbra collaborative suite.

Rapid7 has posted technical details including proof of concept (PoC) code and indicators of compromise (IoC) regarding CVE-2022-41352 at AttackerKB.

The bad news is that the vulnerability has not yet been patched by the company, the issue has been classified as CVSS 9.8.

“CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation.” reported Rapid7. “The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans incoming emails. Zimbra provided a workaround, which is to install the pax utility and restart the Zimbra services. Note that pax is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.

Experts pointed out that the vulnerability is due to the method (cpio) used by Zimbra’s antivirus engine (Amavis) to scan incoming emails.

According to Zimbra users, the vulnerability has been actively exploited since early September 2020. Threat actors exploit the issue to upload jsp files to Web Client/public directory by simply sending an email with a malicious attachment.

“We have an incident where the attacker managed to upload jsp files to the Client/public web directory by simply sending an email with a malicious attachment.” a user wrote on the Zimbra forum.

Kaspersky researchers investigated the attacks and confirmed that unknown APT groups were actively exploiting the CVE-2022-41352 flaw in the wild. A malicious actor systematically infects all vulnerable servers in Central Asia.

Volexity researchers are also investigating attacks exploring this flaw and have already identified approximately 1,600 ZCS servers worldwide that are likely compromised as a result of this CVE.

To make matters worse, PoC exploit code for this issue was added to the Metasploit framework on October 7, 2022.

Below is the operating process described by Kaspersky:

  1. An attacker sends an email with a malicious Tar archive as an attachment.
  2. Upon receipt of the email, Zimbra submits it to Amavis for spam and malware inspection.
  3. Amavis scans email attachments and inspects the contents of attached archives. It calls cpio and CVE-2015-1197 is triggered.
  4. During extraction, a JSP webshell is deployed to one of the public directories used by the webmail component. The attacker can access the webshell to start executing arbitrary commands on the victim machine.

Kaspersky observed two successive waves of attacks targeting this problem. The first wave was targeted in nature and took place in early September and targeted government targets in Asia.

The second, which began on September 30, had a more massive reach and targeted all vulnerable servers located in certain Central Asian countries.

“Now that a proof of concept has been added to Metasploit, we expect a third wave to begin imminently, likely with ransomware as the end goal this time.” read it Publish published by Kaspersky.

Kaspersky also shared indicators of compromise, including paths that are known locations for webshells deployed to exploit the CVE-2022-41352 flaw.

Zimbra released version 9.0.0 P27 to address the issue and provided manual mitigation to prevent successful exploitation of the CVE-2022-41352 flaw.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Zimbra)

Comments are closed.