Kaspersky experts have uncovered ongoing exploitation of the recently discovered CVE-2022-41352 vulnerability in Zimbra Collaboration software by unknown APT groups. At least one of those groups is attacking vulnerable servers in Central Asia.
What is CVE-2022-41352 and why is it so dangerous?
This vulnerability was found in the archive unpacking utility named cpio, which is used by the Amavis content filter, which in turn is part of the Zimbra Collaboration suite. Attackers can craft a malicious .tar archive with a web-shell inside and send it to a server running vulnerable Zimbra Collaboration software. When they Amavis filter starts to check this archive, it calls up the cpio utility, which unpacks the web-shell to one of the public directories. Then the criminals only have to run their web-shell and start executing arbitrary commands on the attacked server. In other words, this vulnerability is akin to the one in the tarfile module.
A more detailed technical description of the vulnerability can be found in the blog post on Securelist. Among other things, the blog post lists the directories where the attackers have placed their web-shell in the attacks investigated by our experts.
What is especially dangerous about it is that the exploit for this vulnerability was added to the Metasploit Framework — a platform that theoretically serves for security research and pentesting, but in fact is often used by cybercriminals for real attacks. Thus, the exploit for CVE-2022-41352 can now be used even by novice cybercriminals.
How to stay safe
On October 14 Zimbra released patch along with installation instructions, so the first logical step is to install newest updates that can be found here. If for some reason you can not install this patch, there is a workaround: the attack can be prevented by installing the pax utility on a vulnerable server. In this case Amavis will use pax to unpack .tar archives instead of cpio. However, don’t forget that this is not a real solution to the problem: in theory, attackers can come up with another way to exploit cpio.
If you suspect you’re being attacked through this vulnerability, or if you find a web-shell in one of the directories listed on Securelist, our experts recommend contacting incident response specialists. It could be that the attackers have already gained access to other service accounts or even installed backdoors. This will give them the opportunity to regain access to the attacked system even if the web-shell is removed.
Kaspersky security solutions successfully detect and block attempts to exploit the CVE-2022-41352 vulnerability.