Threat actors hacked hundreds of servers by exploiting Zimbra CVE-2022-41352 bug

Threat actors have compromised hundreds of servers exploiting critical flaw CVE-2022-41352 in Zimbra Collaboration Suite (ZCS).

Last week, researchers from Rapid7 warned of the exploitation of unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352, in the Zimbra Collaboration Suite.

Rapid7 has published technical details, including a proof-of-concept (PoC) code and indicators of compromise (IoCs) regarding CVE-2022-41352 on AttackerKB.

The bad news is that the vulnerability has yet to be patched by the company, the issue has been rated as CVSS 9.8.

“CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation.” reported Rapid7. “The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails. Zimbra has provided a workaround, which is to install the pax utility and restart the Zimbra services. Note that pax is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.”

The experts pointed out that the vulnerability is due to the method (cpio) used by Zimbra’s antivirus engine (Amavis) to scan the inbound emails.

According to Zimbra users, the vulnerability is actively exploited since early September 2020. Threat actors are exploiting the issue to upload jsp files into Web Client /public directory by simply sending in an email with a malicious attachment.

“We have an incident where the attacker managed to upload jsp files into Web Client /public directory by simply sending in an email with malicious attachment.” a user wrote on the Zimbra forum.

Kaspersky researchers investigated the attacks and confirmed that unknown APT groups have actively been exploiting the CVE-2022-41352 flaw in the wild. One threat actor systematically infects all vulnerable servers in Central Asia.

Volexity researchers are also investigating the attacks exploring this flaw and have already identified approximately 1,600 ZCS servers worldwide that are likely compromised as a result of this CVE.

To make the situation worse, a PoC exploit code for this issue was added to the Metasploit framework on October 7, 2022.

Below is the exploitation process described by Kaspersky:

1. An attacker sends an e-mail with a malicious Tar archive attached.
2. On receiving the e-mail, Zimbra submits it to Amavis for spam and malware inspection.
3. Amavis analyzes the e-mail attachments and inspects the contents of the attached archive. It invokes cpio and CVE-2015-1197 is triggered.
4. During the extraction, a JSP webshell is deployed on one of the public directories used by the webmail component. The attacker can browse to the webshell to start executing arbitrary commands on the victim machine.

Kaspersky observed two successive attack waves targeting this issue. The first wave was targeted in nature and took place in early September and aimed at government targets in Asia.

The second, which started on September 30, was more massive in scope and targeted any vulnerable servers located in some Central Asian countries.

“Now that a proof of concept has been added to Metasploit, we expect a third wave to begin imminently, likely with ransomware as an end-goal this time.” reads the post published by Kaspersky.

Kaspersky also shared indicators of compromise, including the paths that are known locations for webshells deployed to exploit the CVE-2022-41352 flaw.

Zimbra has released version 9.0.0 P27 to address the issue and provided manual mitigation to prevent the successful exploitation of the CVE-2022-41352 flaw.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)

[adrotate banner=”5″]

[adrotate banner=”13″]