{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-069.pdf"
    },
    "title": "UPDATE: Remote Code Execution in Zimbra Collaboration Suite",
    "serial_number": "2022-069",
    "publish_date": "14-10-2022 08:30:00",
    "description": "In September 2022, a remote code execution vulnerability similar to CVE-2022-30333 (SA2022-063) was reported for Zimbra Collaboration Suite. Tracked as CVE-2022-41352 since September 25, 2022, this yet-unpatched flaw is due to an unsafe use of a vulnerable \"cpio\" utility by the Zimbra's antivirus engine Amavis. The exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable Zimbra instance.<br>Proof of Concepts (POC) are publicly available for this vulnerability and reported actively exploited.",
    "url_title": "2022-069",
    "content_markdown": "---\ntitle: 'Remote Code Execution in\u00a0Zimbra\u00a0Collaboration Suite'\nversion: '1.1'\nnumber: '2022-069'\noriginal_date: 'September 25, 2022'\ndate: 'October 7, 2022'\n---\n\n_History:_\n\n* _07/10/2022 --- v1.0 -- Initial publication_\n* _14/10/2022 --- v1.1 -- Updated with patch_\n\n# Summary\n\nIn September 2022, a remote code execution vulnerability similar to CVE-2022-30333 (SA2022-063) was reported for Zimbra Collaboration Suite. Tracked as CVE-2022-41352 since September 25, 2022, this yet-unpatched flaw is due to an unsafe use of a vulnerable `cpio` utility by the Zimbra's antivirus engine Amavis. The exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable Zimbra instance.  \n\n**Proof of Concepts (POC) are publicly available for this vulnerability and reported actively exploited** [1].\n\n# Technical Details\n\nThis 9.8 out of 10 vulnerability allows an unauthenticated attacker to upload arbitrary files by emailing a `.cpio`, `.tar` or `.rpm` to an affected server [2].\n\nUpon reception, the Amavis antivirus engine uses the `cpio` utility to extract the untrusted received file.  Due to the use of vulnerable version of `cpio` (CVE-2015-1197) on affected systems [3], the attacker can leverage this deflating step and virtually write to any path on the system where the `zimbra` user has access. This allows the attacker to create and overwrite files on the Zimbra server, including the webroot, which can effectively give him remote code execution [4].     \n\nThis exploit can be chained with another existing vulnerability (CVE-2022-37393) to escalate to root privileges and achieve a complete remote overtake of a Zimbra server [5].\n\n# Affected Products\n\nBy default the Amavis engine uses the `pax` utility and only calls `cpio` as a fallback if `pax` does not exist. The systems where `pax` is installed are thus not affected. The presence of a vulnerable version of `cpio` is also needed for the exploitation, which might be the case on most systems [6].  \n\nOn Ubuntu systems, `pax` should already be installed as a dependency of Zimbra. Red-Hat based deployments are likely to be vulnerable since the utility is not installed by default.    \n\nThe following Linux distributions were tested by Rapid7 [6]:\n\n- Oracle Linux 8 \u2013 **vulnerable**\n- Red Hat Enterprise Linux 8 \u2013 **vulnerable**\n- Rocky Linux 8 \u2013 **vulnerable**\n- CentOS 8 \u2013 **vulnerable**\n- Ubuntu 20.04 \u2013 not vulnerable \n- Ubuntu 18.04 \u2013 not vulnerable\n\n# Recommendations\n\n**_Updates of 14/10/2022_**\n\nA patch to fix this vulnerability as well as `CVE-2022-37393` and `CVE-2022-41348` is now available [7]. CERT-EU strongly recommends applying it.  \n\n\n# References\n\n[1] <https://forums.zimbra.org/viewtopic.php?t=71153&p=306532>\n\n[2] <https://nvd.nist.gov/vuln/detail/CVE-2022-41352>\n\n[3] <https://nvd.nist.gov/vuln/detail/CVE-2015-1197>\n\n[4] <https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax>\n\n[5] <https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis> \n\n[6] <https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis> \n\n[7] <https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes>",
    "content_html": "<p><em>History:</em></p><ul><li><em>07/10/2022 --- v1.0 -- Initial publication</em></li><li><em>14/10/2022 --- v1.1 -- Updated with patch</em></li></ul><h2 id=\"summary\">Summary</h2><p>In September 2022, a remote code execution vulnerability similar to CVE-2022-30333 (SA2022-063) was reported for Zimbra Collaboration Suite. Tracked as CVE-2022-41352 since September 25, 2022, this yet-unpatched flaw is due to an unsafe use of a vulnerable <code>cpio</code> utility by the Zimbra's antivirus engine Amavis. The exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable Zimbra instance. </p><p><strong>Proof of Concepts (POC) are publicly available for this vulnerability and reported actively exploited</strong> [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>This 9.8 out of 10 vulnerability allows an unauthenticated attacker to upload arbitrary files by emailing a <code>.cpio</code>, <code>.tar</code> or <code>.rpm</code> to an affected server [2].</p><p>Upon reception, the Amavis antivirus engine uses the <code>cpio</code> utility to extract the untrusted received file. Due to the use of vulnerable version of <code>cpio</code> (CVE-2015-1197) on affected systems [3], the attacker can leverage this deflating step and virtually write to any path on the system where the <code>zimbra</code> user has access. This allows the attacker to create and overwrite files on the Zimbra server, including the webroot, which can effectively give him remote code execution [4]. </p><p>This exploit can be chained with another existing vulnerability (CVE-2022-37393) to escalate to root privileges and achieve a complete remote overtake of a Zimbra server [5].</p><h2 id=\"affected-products\">Affected Products</h2><p>By default the Amavis engine uses the <code>pax</code> utility and only calls <code>cpio</code> as a fallback if <code>pax</code> does not exist. The systems where <code>pax</code> is installed are thus not affected. The presence of a vulnerable version of <code>cpio</code> is also needed for the exploitation, which might be the case on most systems [6]. </p><p>On Ubuntu systems, <code>pax</code> should already be installed as a dependency of Zimbra. Red-Hat based deployments are likely to be vulnerable since the utility is not installed by default. </p><p>The following Linux distributions were tested by Rapid7 [6]:</p><ul><li>Oracle Linux 8 \u2013 <strong>vulnerable</strong></li><li>Red Hat Enterprise Linux 8 \u2013 <strong>vulnerable</strong></li><li>Rocky Linux 8 \u2013 <strong>vulnerable</strong></li><li>CentOS 8 \u2013 <strong>vulnerable</strong></li><li>Ubuntu 20.04 \u2013 not vulnerable </li><li>Ubuntu 18.04 \u2013 not vulnerable</li></ul><h2 id=\"recommendations\">Recommendations</h2><p><strong><em>Updates of 14/10/2022</em></strong></p><p>A patch to fix this vulnerability as well as <code>CVE-2022-37393</code> and <code>CVE-2022-41348</code> is now available [7]. CERT-EU strongly recommends applying it. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums.zimbra.org/viewtopic.php?t=71153&p=306532\">https://forums.zimbra.org/viewtopic.php?t=71153&amp;p=306532</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2022-41352\">https://nvd.nist.gov/vuln/detail/CVE-2022-41352</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2015-1197\">https://nvd.nist.gov/vuln/detail/CVE-2015-1197</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax\">https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis\">https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis</a> </p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis\">https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis</a> </p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes\">https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}