Patch or mitigate now [300 words]
What: Organizations using Zimbra Collaboration suite (ZCS) 8.8.15 and 9.0 should immediately update to Zimbra 9.0.0 P27 released on October 10. Those that cannot should implement Zimbra’s recommended workaround which is to install the pax utility and restart Zimbra services. Ubuntu-based Zimbra installations are not impacted because pax is installed by default on Ubuntu.
Note: Zimbra has changed its upgrade process for 9.0.0 P27. Additional steps have been added to the installation process. See here.
Why: Multiple advanced persistent threat groups are actively exploiting a flaw in Zimbra (CVE-2022-41352) that gives unauthenticated persons a way to gain remote code execution on vulnerable servers. The activity is being fueled by a proof-of-concept for the vulnerability which was added to the Metasploit framework on October 7, 2022. The flaw was a zero-day vulnerability when Zimbra first disclosed it in September.
How: The vulnerability exists in the method that Zimbra’s virus scanning engine Amavis uses when scanning incoming emails for malware and spam. To exploit the vulnerability, an attacker would send an email with a malicious tar archive file attachment. Amavis scans the file using cpio, and triggering an older, unpatched vulnerability (CVE-2015-1197) in the utility in the process. “When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access,” according to Rapid7.
Zimbra Collaboration Kepler 9.0.0 Patch 27 GA ReleaZimbra Collaboration Kepler 9.0.0 Patch Installation details
Zimbra blog on installing pax/spax
Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day) (Kaspersky)