Zimbra Releases Fixes for Actively Exploited Flaw

Updated on 2022-10-18: APTs went after Zimbra

Kaspersky researchers said in a blog post last week that they’ve seen multiple APT groups exploiting a recently disclosed Zimbra zero-day (CVE-2022-41352), and that one of these groups has been “systematically infecting all vulnerable servers in Central Asia.” In the meantime, after leaving the vulnerability unpatched for almost a month, Zimbra has finally delivered a patch. Read more:

• Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
• CVE-2022-41352 Detail
• Zimbra Collaboration Kepler 9.0.0 Patch 27 GA Release

Zimbra zero-day

As mentioned in a section above, Zimbra has finally released a patch for a zero-day (CVE-2022-41352) that has been under active exploitation for more than a month.

Updated on 2022-10-17

Zimbra has released updates to address a critical code execution vulnerability that is being actively exploited. The vulnerability, CVE-2022-41352, affects the Amavis open source content filter component of Zimbra Collaboration Suite versions 8.8.15 and 9.0. Users are urged to update to Zimbra 9.0.0 Patch 27 and Zimbra 8.8.15 Patch 34. The flaw has a CVSS score of 9.8.

Note

• Note that strictly speaking, this isn’t a Zimbra flaw, but a cpio flaw. Some Linux distributions include a version of cpio that does not include an older security fix as it may interfere with other usage cases for cpio. The Zimbra patch makes sure that the alternative “pax” utility is installed, which isn’t installed by default in some Linux distributions. In addition, the update fixes a few more security vulnerabilities.
• This vulnerability is being actively exploited and builds upon a 2015 weakness (CVE-2015-1197.) After you apply the patch, go to the Zimbra support portal and review the additional hardening guidance there to ensure you have a complete fix to the vulnerability.

Read more in

• NEW! Zimbra Patches: 9.0.0 Patch 27 + 8.8.15 Patch 34
• CVE-2022-41352 Detail
• Zimbra Patches Under-Attack Code Execution Bug
• Zimbra Releases Patch for Actively Exploited Vulnerability in its Collaboration Suite

Updated on 2022-10-16

Almost 900 servers have been targeted using a critical Zimbra Collaboration Suite (ZCS) vulnerability, CVE-2022-41352. According to Kaspersky, various APT groups actively exploited the flaw soon after it was reported on the Zimbra forums. Read more: Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Updated on 2022-10-10: Zimbra Vulnerability Remains Unpatched

A zero-day flaw in Zimbra email servers is being actively exploited to backdoor vulnerable servers. A Zimbra customer reported the attacks in early September. Zimbra has not yet released a fix for the vulnerability and has instead urged customers to make sure that the pax file archiver is installed on their systems.

Note

• Note that this isn’t so much a Zimbra vulnerability but a vulnerability in the cpio utility included in some Linux distributions. Using the alternative (and preferred) “pax” utility will prevent exposing cpio via Zimbra.
• The exploit requires two conditions to be met. First, a vulnerable version of cpio must be present/pre-installed, second, the pax utility must not be installed. The flaw leverages behavior in the Zimbra AV engine which uses cpio to extract the files it’s scanning. Zimbra is moving to pax from cpio and will use pax if installed. Note the easiest fix it is to add pax to your Linux distribution and restart the Zimbra services.

Read more in

• Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352)
• Zimbra RCE Bug Under Active Attack
• Unpatched Zimbra flaw under attack is letting hackers backdoor servers
• Researchers say it’s ‘likely’ hackers will continue to exploit critical zero-day in Zimbra Collaboration Suite
• Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite

Updated on September 2022: Zimbra web shells

CISA published on Tuesday three malware reports on three JSP web shells found deployed on Zimbra servers.

Read more in

• Malware Analysis Report (AR22-270A) MAR-10400779-1.v1 – Zimbra 1
• Malware Analysis Report (AR22-270B) MAR-10400779-2.v1 – Zimbra 2
• Malware Analysis Report (AR22-270C) MAR-10401765-1.v1 – Zimbra 3

Updated on August 2022: Thousands of Zimbra platforms actively targeted with critical vulnerabilities

Security experts are warning that attackers are actively exploiting a vulnerability in the Zimbra digital collaboration platform, and the exploit is circulating in the wild. A range of reports indicate threat actors are using the vulnerabilities, which can provide adversaries with full remote code execution with no authentication needed. Microsoft stated that more than 30,000 instances are believed to be publicly exposed, and the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2022-37042 and CVE-2022-27925 to its list of known exploited vulnerabilities. The vulnerabilities specifically affect Zimbra Collaboration Suite (ZCS) email servers and are similar to other vulnerabilities discovered in 2021 affecting Microsoft Exchange Server. CISA also warned users of another ZCS vulnerability on Aug. 4 — CVE-2022-27924, which was also being exploited in the wild. Federal agencies must patch for CVE-2022-27924 by Aug. 24.

Read more in

• CISA orders civilian agencies to patch Zimbra bug after mass exploitation
• Microsoft Exchange alternative Zimbra is getting widely exploited, 1000s hit

Updated on August 2022: Zimbra Vulnerability is Being Actively Exploited

A command injection vulnerability in Zimbra Collaboration is being actively exploited to steal email account credentials with no user interaction. Researchers from SonarSource discovered the vulnerability on March 11, 2022; Zimbra released a fix on May 10. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities Catalog with a mitigation due date of August 25, 2022.

Note

• The patch for Zimbra was released May 10, 2022, with versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. The report from SonarSource, released a month after the patches were released, has details and pointers for attackers to successfully exploit the flaws. Yup, time to patch.

Read more in

• Hackers are actively exploiting password-stealing flaw in Zimbra
• CISA Adds Zimbra Email Vulnerability to its Exploited Vulnerabilities Catalog
• Zimbra Email – Stealing Clear-Text Credentials via Memcache injection (June 14, 2022)
• CVE-2022-27924 Detail
• CISA Adds One Known Exploited Vulnerability to Catalog

Updated on July 2022: Unrar vulnerability in Zimbra:

SonarSource researchers have discovered a vulnerability in the Unrar tool, part of the Zimbra CMS, which could be exploited to take over Zimbra instances.

Updated on June 2022: Zimbra attack

SonarSource researchers have published a report on a new vulnerability in Zimbra email systems where an unauthenticated attacker can steal cleartext credentials from Zimbra servers without any user interaction. The vulnerability (CVE-2022-27924) resides in the local Zimbra Memcache instance included in the Zimbra server’s reverse proxy component and impacts the 8.8.x and 9.x versions, both of which received patches.

Updated on April 2022: IcedID Malware and Zimbra Exploits are Being Used Against Ukrainian Government Systems

Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of social engineering campaigns that aim to spread IcedID malware and use Zimbra exploits to steal data. The attacks are targeting Ukrainian government agency networks.

Note

• This attack relies on an infected MS Excel document which requests you to enable macros and then leads to the deployment of IcedID, aka BokBot. Being mindful of macros, particularly from external or unknown senders remains prudent. Disable macros unless you absolutely know that the document is not only legitimate, but also they are needed. Question macros that are there “because we always did it that way” or don’t make sense, even from trusted sources.

Read more in

• New Hacking Campaign Targeting Ukrainian Government with IcedID Malware
• Hackers target Ukrainian govt with IcedID malware, Zimbra exploits

Overview: Webmail of the Damned

European governments and media organisations have been targeted by (probably) a Chinese APT group using a 0day for the Zimbra open source email platform. The group first ran a reconnaissance phase using innocuous and relatively generic emails to test whether accounts existed and would open phishing emails. A second phase on promising target accounts involved a malicious email that would launch a cross-site scripting attack to steal the account’s email.

Volexity, the company that discovered the campaign, believes it is Chinese because of the organisations and individuals targeted and the lack of any apparent financial motivation combined with indications that the attackers worked in China’s time zone.