CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation. The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails. Zimbra has provided a workaround, which is to install the pax utility and restart the Zimbra services. Note that pax is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.
Note: This vulnerability, CVE-2022-41352 is effectively identical to CVE-2022-30333 but leverages a different file format (.cpio and .tar as opposed to .rar). It is also a byproduct of a much older (unfixed) vulnerability, CVE-2015-1197. While the original CVE-2015-1197 affects most major Linux distros, our research team found that it is not exploitable unless a secondary application – such as Zimbra, in this case – uses cpio to extract untrusted archives; therefore, this blog is only focusing on Zimbra CVE-2022-41352.
Rapid7 has published technical documentation, including proof-of-concept (PoC) and indicator-of-compromise (IoC) information, regarding CVE-2022-41352 on AttackerKB.
Background
To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used o ..
Support the originator by clicking the read the rest link below.
){kind=link}