Zimbra Collaboration has made it back on CISA’s Known Exploited Vulnerabilities Catalog with CVE-2022-27925 and CVE-2022-37042 and the phrase of the day is “remote code execution without authentication.” According to CISA, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”
CVE-2022-27925 – Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. (from NIST website)
CVE-2022-37042 – Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. (from NIST website)
Cybersecurity organization Volexity investigated multiple breaches of ZCS in July and early August. These investigations indicated that “the likely cause of these breaches was exploitation of CVE-2022-27925,” which was initially patched back in March 2022. After further research, Volexity “determined it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925.” These findings were subsequently reported to Zimbra and were patched in 9.0.0P26 and 8.8.15P33. This bypass was assigned CVE-2022-37042.
Through Internet-wide scans, Veloxity has also determined that at least 1,000 instances of ZCS have been compromised. These instances affect both global companies and government departments alongside small businesses. The United States has the highest number of compromised servers that have so far been identified.
Veloxity also adds that simply applying the current patch will not resolve any historical compromise between the exploit becoming available and the patch being applied:
“It seems that patching ZCS instances to the newest version may remove webshells placed in some directories. However, if an attacker installed any second-stage or persistent malware (run via cron), then patching your ZCS instance is insufficient to remediate the compromise.”
Zimbra has steps on rebuilding your ZCS instance and importing mail from the old server here.
Sources:
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
#zimbra #CISAnalysis #RCE
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
