"Unpatched Remote Code Execution Flaw in Zimbra Collaboration Suite Actively Exploited"
Threat actors are taking advantage of a severe Remote Code Execution (RCE) vulnerability in the Zimbra collaboration platform that has yet to be patched. Rapid7 researchers are warning of the exploitation of the unpatched zero-day RCE vulnerability in the Zimbra Collaboration Suite, tracked as CVE-2022-41352. Rapid7 has published technical details about the flaw on AttackerKB, including a proof-of-concept (PoC) code and indicators of compromise (IoCs). The vulnerability, according to the experts, is caused by the cpio method used by Zimbra's antivirus engine, Amavis, to scan inbound emails. Users of Zimbra report that the vulnerability has been actively exploited since early September 2020. Threat actors are taking advantage of the vulnerability to upload JSP files into the Web Client/public directory by simply sending an email with a malicious attachment. To prevent the Amavis component from reverting to cpio, Zimbra recommends that users install the "pax" utility and restart the Zimbra services. All Zimbra administrators must ensure that the pax package is installed on their server. Amavis requires Pax in order to extract the contents of compressed attachments for virus scanning. Because there is no secure mode for using cpio on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The attacker is most likely to plant a shell in the web root to gain RCE, but other options are possible. Rapid7 concludes. This article continues to discuss the RCE flaw found in the Zimbra Collaboration Suite.