Remote Code Execution
- RCE vulnerability in Zimbra Collaboration Suite (ZCS) being actively exploited in the wild.
- The vulnerability is listed in CISA’s “Known exploited Vulnerabilities Catalog”.
- The vulnerability can allow threat actors to gain initial access to an organization’s network and conduct further exploitation.
- Update ZCS to the following patches:
- On 10 May 2022, Zimbra disclosed CVE-2022-27925 as an authenticated directory traversal vulnerability.
- This vulnerability affects the Zimbra Collaboration Suite (ZCS) releases 8.8.15 and 9.0, which use mboximport functionality to receive ZIP archives and extract files from them.
- However, on 10 August 2022, Volexity, a cyber forensics and incident response firm, released a report stating that this vulnerability was used to exploit ZCS email servers of multiple organizations without having authenticated access to the ZCS instances.
- The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8.
- CVE-2022-37042 exits due to an incomplete patch of the CVE-2022-27925 vulnerability.
- Further investigation by Volexity verified that it was possible to bypass authentication when accessing the mboximport endpoint.
- Based on internet-wide scans conducted by Volexity, more than 1,000 ZCS servers have been compromised and backdoored.
During the inspection of the source code of the MailboxImport servlet by Volexity, it was revealed that:
- The doPost function, which is called to check for user authentication when the URL was accessed, was flawed.
- The flaw in the code was found to be an absence of a return statement, after authentication check and an error message set on authentication failure.
- This led to the execution of the remaining code even when the user was not authenticated, leading to the upload of the malicious zip file on the server.
[caption id="attachment_21515" align="alignnone" width="701"]
Flawed logic in the doPost function in MailboxImport (Source: Volexity)[/caption]
Information from OSINT
- The Shodan query for ZCS instances shows a total of 72,404 active instances worldwide.
[caption id="attachment_21516" align="alignnone" width="1096"]
Shodan result for Zimbra instances[/caption]
Impact & Mitigation
- Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
- The initial access can be exploited for:
- Stealing user credentials
- Privilege escalation
- Installing backdoors
- Deploying ransomware
- Uploading malicious files
- Update the ZCS to the following patched versions:
[caption id="attachment_21517" align="alignnone" width="1536"]
Geographic distribution of compromised Zimbra servers (Source: Volexity)[/caption]