Table of Contents
July 1, 2022
|5m
How To Fix CVE-2022-30333- A Path Traversal Vulnerability In Unrar Let Attackers To Hack Zimbra Mail Servers
Researchers uncover a new vulnerability in RARlab’s Unrar utility. The vulnerability tracked with the CVE ID CVE-2022-30333 is a high severity vulnerability that has a CVSS score of 7.5 out of 10. Since the vulnerability allows a remote attacker to carry out an arbitrary code execution attack on a vulnerable Zimbra instance without requiring any prior authentication, it is important to fix the CVE-2022-30333 vulnerability at the earliest. We have created this post to let you know how to fix CVE-2022-30333, a path traversal vulnerability in Unrar utility.
About Zimbra:
Open Source Email and Collaboration.
Zimbra is an open-source server and client technology for next-generation enterprise messaging and collaboration. Available in both on-premises and cloud deployment models, Zimbra provides users with a modern, feature-rich email experience that includes calendaring, tasks, contacts, document collaboration, social networking features, and much more.
Zimbra is used by some of the largest organizations in the world, including Comcast, T-Mobile, IBM, Yahoo!, and many others.
Zimbra is developed by a team of passionate engineers located around the globe and is available in over 25 languages.
Zimbra offers two different editions: the Network Edition and the Open Source Edition. The Network Edition provides additional features and support options not available in the Open Source Edition.
The following table outlines the key differences between the two editions:
| Feature | Network Edition | Open Source Edition |
| Paid support | Yes | No |
| Premium email and collaboration features | Yes | No |
| Zimbra Connector for Outlook | Yes | No |
| Zimbra Mobile sync | Yes | No |
| Zimbra Desktop | Yes | No |
| Migration tools and services | Yes | No |
| 24×7 phone and email support | Yes | No |
Summary Of CVE-2022-30333:
This is a Path Traversal Vulnerability discovered in Unrar utility, a 3rd party tool used in Zimbra to extract archived attachments come in the email attachment, developed by RarLab, the same company that developed WinRAR. The flaw allows a remote attacker to carry out an arbitrary code execution attack on a vulnerable Zimbra instance without requiring any prior authentication. If you ignore fixing the flaw, the attackers may abuse the flaw to access every single email sent and received on a compromised email server. With this access, attackers can gain access to even more sensitive internal services of an organization.
SonarSource researcher Simon Scannell said in its report, “An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.”
| Associated CVE ID | CVE-2022-30333 |
| Description | A Path Traversal Vulnerability in Unrar Let Attackers to Hack Zimbra Mail Servers |
| Associated ZDI ID | – |
| CVSS Score | 7.5 High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | None |
| Integrity (I) | High |
| availability (a) | None |
Technical Details:
As you know, Zimbra uses Unrar utility to extract archives received from incoming emails. Zimbra extracts archives to examine virus and spam detection. The issue lice in the detection of malicious archives created using symbolic links. Attackers abuse this vulnerability and extract a symbolic link that points outside of the extraction directory and then dereference it with a second file. Please read the report for more technical details. This symbolic link vulnerability will give way for path traversal vulnerability in Unrar.
The best mechanism to defeat this symbolic link bypass vulnerability is to check both the Absolute and Relative Symbolic Paths in the extract and neutralize them before forwarding them to the next process.
Zimbra Versions Affected By CVE-2022-30333, A Path Traversal Vulnerability In Unrar
This Path Traversal Vulnerability was not related to Zimbra as long as the deployment doesn’t include the Unrar package. The flaw affects if Unrar is installed on the Zimbra server. Since. Zimbra uses Unrar to extract the archives that come in as attachments in the emails. It is important to check the version of Unrar and upgrade it to the patched version.
Unrar Versions Vulnerable to CVE-2022-30333:
Source Code versions less than or equal to 6.1.6.
Binary package versions less than or equal to 6.11.
How To Fix CVE-2022-30333- A Path Traversal Vulnerability In Unrar Let Attackers To Hack Zimbra Mail Servers?
RarLab, the creator of Unrar utility, has patched this symbolic link bypass vulnerability in the source code version 6.1.7 and binary package version 6.12. We recommend upgrading the Unrar to a version greater than or equal to v6.1.7 or v6.12, depending on the operating system.
The report also says that Zimbra has addressed this issue by replacing Unrar with 7z to extract the archived attachments. So make sure that your Zimbra is using 7z instead of Unrar.
We hope this post would help you know how to fix CVE-2022-30333, a path traversal vulnerability in Unrar utility. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
