Skip to content
VULNERABILITY CLUSTERF**K!

Unpatched Zimbra flaw under attack is letting hackers backdoor servers

The flaw has been under attack since at least early September.

Dan Goodin | 23
Story text

An unpatched code-execution vulnerability in the Zimbra Collaboration software is under active exploitation by attackers using the attacks to backdoor servers.

The attacks began no later than September 7, when a Zimbra customer reported a few days later that a server running the company's Amavis spam-filtering engine processed an email containing a malicious attachment. Within seconds, the scanner copied a malicious Java file to the server and then executed it. With that, the attackers had installed a web shell, which they could then use to log into and take control of the server.

Zimbra has yet to release a patch fixing the vulnerability. Instead, the company published this guidance that advises customers to ensure a file archiver known as pax is installed. Unless pax is installed, Amavis processes incoming attachments with cpio, an alternate archiver that has known vulnerabilities that were never fixed.

"If the pax package is not installed, Amavis will fall-back to using cpio," Zimbra employee Barry de Graaff wrote. "Unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot."

The post went on to explain how to install pax. The utility comes loaded by default on Ubuntu distributions of Linux, but must be manually installed on most other distributions. The Zimbra vulnerability is tracked as CVE-2022-41352.

The zero-day vulnerability is a byproduct of CVE-2015-1197, a known directory traversal vulnerability in cpio. Researchers for security firm Rapid7 said recently that the flaw is exploitable only when Zimbra or another secondary application uses cpio to extract untrusted archives.

Rapid7 researcher Ron Bowes wrote:

To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.

Bowes went on to clarify that two conditions must exist for CVE-2022-41352:

  1. A vulnerable version of cpio must be installed, which is the case on basically every system (see CVE-2015-1197)
  2. The pax utility must not be installed, as Amavis prefers pax and pax is not vulnerable

Bowes said that CVE-2022-41352 is "effectively identical" to CVE-2022-30333, another Zimbra vulnerability that came under active exploit two months ago. Whereas CVE-2022-41352 exploits use files based on the cpio and tar compression formats, the older attacks leveraged tar files.

In last month's post, Zimbra's de Graaff said the company plans to make pax a requirement of Zimbra. That will remove the dependency on cpio. In the meantime, however, the only option to mitigate the vulnerability is to install pax and then restart Zimbra.

Even then, at least some risk, theoretical or otherwise, may remain, researchers from security firm Flashpoint warned.

"For Zimbra Collaboration instances, only servers where the 'pax' package was not installed were affected," company researchers warned. "But other applications may use cpio on Ubuntu as well. However, we are currently unaware of other attack vectors. Since the vendor has clearly marked CVE-2015-1197 in version 2.13 as fixed, Linux distributions should carefully handle those vulnerability patches—and not just revert them."

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
23 Comments