cbcvebase.
CVE-2022-41352
published 2022-09-26

CVE-2022-41352: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-11-10
Exploited in the wild
EPSS
95.48%
99.9th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

path/opt/zimbra/jetty/webapps/zimbra/public/.error.jsp
path/opt/zimbra/jetty/webapps/zimbra/public/ResourcesVerificaton.jsp
path/opt/zimbra/jetty/webapps/zimbra/public/ResourceVerificaton.jsp
path/opt/zimbra/jetty/webapps/zimbra/public/ZimletCore.jsp
path/opt/zimbra/jetty/webapps/zimbra/public/searchx.jsp
path/opt/zimbra/jetty/webapps/zimbra/public/seachx.jsp
path/opt/zimbra/jetty_base/webapps/zimbra/[4-10 random characters].jsp
path/opt/zimbra/jetty/webapps/zimbra/public
yara
HEUR:Exploit.Multi.CVE-2022-41352.gen
  • Check for JSP webshells dropped in the Zimbra public web directory at known attacker-used paths, including typo-squatted filenames such as 'ResourcesVerificaton.jsp' (missing 'i') and 'seachx.jsp' (missing 'r').
  • Exploitation is delivered via a malicious Tar archive attached to an inbound e-mail; monitor Amavis/cpio activity for path-traversal writes outside expected temp directories.
  • The Metasploit module creates a .tar file that is emailed to the Zimbra server; alert on inbound emails with .tar attachments that result in new file creation under the Zimbra webroot.
  • Red Hat-based and CentOS systems without pax installed are vulnerable; Ubuntu systems are not affected because pax is installed by default. Prioritize detection on RHEL/CentOS/Oracle/Rocky Linux Zimbra deployments.
  • A proof of concept was added to Metasploit on October 7, 2022; expect broad opportunistic exploitation from that date onward and correlate Zimbra server compromise events to this timeline.
  • ·pax is a prerequisite on Ubuntu Zimbra installations (not vulnerable) but is absent from default RHEL/CentOS installations after version 6, making those systems vulnerable by default.
  • ·Removing a discovered webshell is insufficient for remediation; the attacker will have had access to Zimbra service-account credentials stored in configuration files, which can be used to regain access.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.