Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances.
Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives.
The flaw, in turn, is said to be rooted in another underlying vulnerability (CVE-2015-1197) that was first disclosed in early 2015, which according to Flashpoint was rectified, only to be subsequently reverted in later Linux distributions.
“An attacker can use cpio package to gain incorrect access to any other user accounts,” Zimbra said in an advisory published last week, adding it “recommends pax over cpio.”
Fixes are available in the following versions –
All an adversary seeking needs to do to weaponize the shortcoming is to send an email with a specially crafted TAR archive attachment that, upon being received, gets submitted to Amavis, which uses the cpio module to trigger the exploit.
Cybersecurity company Kaspersky has disclosed that unknown APT groups have actively been taking advantage of the flaw in the wild, with one of the actors “systematically infecting all vulnerable servers in Central Asia.”
The attacks, which unfolded over two attack waves in early and late September, primarily targeted government entities in the region, abusing the initial foothold to drop web shells on the compromised servers for follow-on activities.
Based on information shared by incident response firm Volexity, roughly 1,600 Zimbra servers are estimated to have been infected in what it calls a “mix of targeted and opportunistic attacks.”
“Some web shell paths […] were used in targeted (likely APT) exploitation of key organizations in government, telecommunications, and IT, predominantly in Asia; others were used in massive worldwide exploitation,” the company said in a series of tweets.