On September 10, 2022, a user reported on Zimbra’s official forums that their team detected a security incident originating from a fully patched instance of Zimbra. The details they provided allowed Zimbra to confirm that an unknown vulnerability allowed attackers to upload arbitrary files to up-to-date servers. At the moment, Zimbra has released a patch and shared its installation steps. In addition, manual mitigation steps can be undertaken by system administrators to prevent successful exploitation (see below).
Kaspersky investigated the threat and was able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is systematically infecting all vulnerable servers in Central Asia.
On October 7, 2022, a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.
The vulnerability affects a component of the Zimbra suite called Amavis, and more specifically the cpio utility it uses to extract archives. The underlying cause is another vulnerability (CVE-2015-1197) in cpio, for which a fix is available. Inexplicably, distribution maintainers appear to have reverted the patch and use a vulnerable version instead. This creates a large attack surface where any software relying on cpio might in theory be leveraged to take over the system. CVE-2015-1197 is a directory traversal vulnerability: extracting specially crafted archives containing symbolic links can cause files to be placed at an arbitrary location in the file system.
In the context of CVE-2022-41352, the exploitation scenario unfolds as follows:
- An attacker sends an e-mail with a malicious Tar archive attached.
- On receiving the e-mail, Zimbra submits it to Amavis for spam and malware inspection.
- Amavis analyzes the e-mail attachments and inspects the contents of the attached archive. It invokes cpio and CVE-2015-1197 is triggered.
- During the extraction, a JSP webshell is deployed on one of the public directories used by the webmail component. The attacker can browse to the webshell to start executing arbitrary commands on the victim machine.
Since Zimbra released a patch for this vulnerability, the best course of action is to update your devices immediately. If this for some reason is not possible, installing pax on the machine hosting the Zimbra installation will prevent the vulnerability from being exploitable. pax is available from package managers (such as apt and yum) of all major Linux distributions. Among all Linux variants officially supported by Zimbra, only Ubuntu installs pax by default and is therefore not affected by CVE-2022-41352:
|Vulnerable to CVE-2022-41352
|Red Hat Enterprise Linux 7
|Red Hat Enterprise Linux 8
|Oracle Linux 7
|Oracle Linux 8
|Rocky Linux 8
|Ubuntu 16.04 LTS
|Ubuntu 18.04 LTS
|Ubuntu 20.04 LTS
Please note that installing pax doesn’t address the root issue with any distribution, where other program paths both within and outside of Zimbra could still cause cpio to process untrusted data.
The vulnerability covered in this post was exploited during two successive attack waves. The first, taking place in early September, appears to have been relatively targeted and affected government targets in Asia. The second, which started on September 30, was much more massive in scope and went after all vulnerable servers located in specific Central Asian countries. Now that a proof of concept has been added to Metasploit, we expect a third wave to begin imminently, likely with ransomware as an end-goal this time.
After taking the aforementioned mitigation steps, owners of Zimbra servers are encouraged to check for traces of compromise. The following paths are known locations for webshells deployed by malicious actors currently leveraging CVE-2022-41352:
In addition, it is worth noting that the Metasploit exploit drops its webshell in the following location:
/opt/zimbra/jetty_base/webapps/zimbra/[4-10 random characters].jsp
If you discover one of these files on your Zimbra installation, please contact an incident response specialist as soon as possible. Removing the file is not enough. Performing disinfection on Zimbra is extremely difficult, as the attacker will have had access to configuration files containing passwords used by various service accounts. These credentials can be used to regain access to the server if the administrative panel is accessible from the internet. In addition, considering the rudimentary nature of all webshells we have discovered so far, it is almost certain that attackers will deploy more robust and sophisticated backdoors as soon as they get the chance.
Kaspersky products offer full coverage against this threat and block any attempt at exploiting CVE-2022-41352. We detect exploits using the vulnerability as HEUR:Exploit.Multi.CVE-2022-41352.gen. More information about the two attack waves is available via our Threat Intelligence reporting service, please contact firstname.lastname@example.org for details.