Have you patched your Zimbra server – actively exploited hacks

In a security alert updated on Monday, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals are actively exploiting five vulnerabilities in the Zimbra Collaboration Suite (ZCS) to break into both government and private-sector networks. The agencies have provided fresh detection signatures to help admins identify intruders abusing these flaws.


The five CVE-listed bugs being exploited include CVE-2022-27924, which Zimbra patched in May and received a 7.5 out of 10 CVSS score. This high-severity bug can be used by an unauthenticated user to ultimately steal email account credentials in cleartext form with no user interaction.

SonarSource security researchers discovered the flaw in March, and published a detailed technical analysis that explained how an attacker could inject arbitrary memcache commands into a targeted instance, causing an overwrite of arbitrary cached entries, allowing them to steal account credentials.

In June, the security biz publicly released proof-of-concept (POC) exploits for this vulnerability. “Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks,” the Feds warned.

Another high-severity vulnerability, CVE-2022-27925, which also received a 7.4 CVSS rating, could allow an authenticated user with admin privileges to upload arbitrary files, thus leading to directory traversal. When combined with CVE-2022-37042, CVE-2022-27925 could be exploited without valid administrative credentials, according to researchers from Volexity, which reported more than 1,000 Zimbra email servers had been compromised in attacks chaining the two vulnerabilities.

Further big problems found

CVE-2022-37042 is a critical remote authentication bypass vulnerability that received a 9.8 CVSS rating. Zimbra issued fixes for both of these bugs in late July.

CVE-2022-30333 is a 7.5 rated high-severity flaw in RARLAB UnRAR, used by Zimbra, before 6.12 on Linux and Unix-flavored systems that allows miscreants to write to files during an extract operation.

“In the case of Zimbra, successful exploitation gives an attacker access to every single email sent and received on a compromised email server. They can silently backdoor login functionalities and steal the credentials of an organization’s users,” according to SonarSource, which discovered the bug. “With this access, it is likely that they can escalate their access to even more sensitive, internal services of an organization.”

To fix this issue, Zimbra made configuration changes to use the 7zip program instead of UnRAR.

We’re told that a miscreant is selling an exploit kit for CVE-2022-30333, and there’s also a Metasploit module that creates a RAR file, which then can be emailed to a Zimbra server to exploit this flaw.

The fifth known Zimbra vulnerability under active exploit, CVE-2022-24682, is a medium severity cross-site scripting bug that allows crooks to steal session cookie files. Volexity discovered this one, too, and Zimbra patched it in February.


Source: US government really hopes you’ve patched your Zimbra server • The Register

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft