Zimbra Collaboration Suite Actively Exploited Via an Authentication Bypass Vulnerability CVE-2022-37042

RCE vulnerability in Zimbra Collaboration Suite (ZCS) being actively exploited in the wild.
Updated on
April 19, 2023
Published on
November 2, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-37042 CVSS:3.0 Score: 9.8

Executive Summary

THREAT IMPACT MITIGATION
  • RCE vulnerability in Zimbra Collaboration Suite (ZCS) being actively exploited in the wild.
  • The vulnerability is listed in CISA’s “Known exploited Vulnerabilities Catalog”.
  • The vulnerability can allow threat actors to gain initial access to an organization’s network and conduct further exploitation.
  • Update ZCS to the following patches:
    • 9.0.0P26
    • 8.8.15P33

Analysis

  • On 10 May 2022, Zimbra disclosed CVE-2022-27925 as an authenticated directory traversal vulnerability.
  • This vulnerability affects the Zimbra Collaboration Suite (ZCS) releases 8.8.15 and 9.0, which use mboximport functionality to receive ZIP archives and extract files from them.
  • However, on 10 August 2022, Volexity, a cyber forensics and incident response firm, released a report stating that this vulnerability was used to exploit ZCS email servers of multiple organizations without having authenticated access to the ZCS instances.
  • The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8.
  • CVE-2022-37042 exits due to an incomplete patch of the CVE-2022-27925 vulnerability.
  • Further investigation by Volexity verified that it was possible to bypass authentication when accessing the mboximport endpoint.
  • Based on internet-wide scans conducted by Volexity, more than 1,000 ZCS servers have been compromised and backdoored.

Technical Analysis

During the inspection of the source code of the MailboxImport servlet by Volexity, it was revealed that:
  • The doPost function, which is called to check for user authentication when the URL was accessed, was flawed.
  • The flaw in the code was found to be an absence of a return statement, after authentication check and an error message set on authentication failure.
  • This led to the execution of the remaining code even when the user was not authenticated, leading to the upload of the malicious zip file on the server.
[caption id="attachment_21515" align="alignnone" width="701"]Flawed logic in the doPost function in MailboxImport (Source: Volexity) Flawed logic in the doPost function in MailboxImport (Source: Volexity)[/caption]  

Information from OSINT

  • The Shodan query for ZCS instances shows a total of 72,404 active instances worldwide.
[caption id="attachment_21516" align="alignnone" width="1096"]Shodan result for Zimbra instances Shodan result for Zimbra instances[/caption]

Impact & Mitigation

Impact Mitigation
  • Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
  • The initial access can be exploited for:
    • Stealing user credentials
    • Privilege escalation
    • Installing backdoors
    • Deploying ransomware
    • Uploading malicious files
  • Update the ZCS to the following patched versions:
    • 9.0.0P26
    • 8.8.15P33

References

Appendix

[caption id="attachment_21517" align="alignnone" width="1536"]Geographic distribution of compromised Zimbra servers (Source: Volexity) Geographic distribution of compromised Zimbra servers (Source: Volexity)[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations