A Comprehensive Analysis of the Zimbra Vulnerability CVE-2022-30333
August 12, 2022
•
4
min read
Category:
Vulnerability Intelligence
Vulnerability Class:
Remote Code Execution
CVE ID:
CVE-2022-30333
CVSS:3.0 Score:
7.5
Executive Summary
THREAT
IMPACT
MITIGATION
An RCE vulnerability in Zimbra webmail servers being actively exploited to target multiple organizations worldwide.
The exploit was used to launch a spear phishing campaign against Europe.
Successful exploitation will enable access to every single email sent and received on the compromised server.
Stolen credentials of an organization’s users can be used to escalate access and install backdoors.
Update Zimbra webmail servers to binary version 6.12.
Conduct user-awareness training against phishing campaigns.
Analysis
CloudSEK’s contextual AI digital risk platform XVigil has identified multiple threat actors exploiting CVE-2022-30333, to target vulnerable Zimbra webmail servers.
CVE-2022-30333 is a path traversal vulnerability in RarLab’s UnRAR binary that can lead to remote code execution (RCE) on Zimbra webmail and potentially affect others.
Zimbra is a well-known webmail service used by several businesses and government organizations, hence the vulnerability poses a high risk of exploitation.
The UnRAR 6.17 and earlier versions of the following software are affected by this vulnerability:
Zimbra 9.0.0 patch 24 and earlier
Zimbra 8.8.15 patch 31 and earlier
Information from Cybercrime Forums
A significant amount of chatter was observed on cybercrime forums and channels regarding CVE-2022-30333.
Threat actors were seen selling the exploits for this vulnerability at USD 4,000.
Multiple threat actors were seen posting about exploiting the Zimbra vulnerability to gain access to Government mail servers.
Sale of exploit for the Zimbra vulnerability on cybercrime forum
Information from OSINT
Multiple threat actors are actively exploiting and sharing the PoCs of this vulnerability.
CVE-2022-30333 has been exploited to successfully launch a spear phishing campaign against the European government and agencies.
Attackers are using this vulnerability to send out email messages and lure victims to click on specially crafted malicious links.
The emails sent out in the spear-phishing campaign were frequently formatted as follows:
<firstname>_<lastname><numbers>@outlook.com
<firstname><lastname><numbers>@outlook.com
A significant surge has been observed in the number of tweets mentioning CVE-2022-30333 over the past month.
Rise in exploits using Zimbra vulnerability (Source: CVE STALKER)
Technical Details
An attacker uses maliciously crafted RAR archives, that can contain symbolic links pointing outside of the extraction directory, for de-referencing with a second file.
Threat actors are using DosSlashToUnix() function to convert backslashes (\) to forward slashes (/) in order to ensure that a RAR archive created on Windows can be extracted on a Unix system.
The exploit gives threat actors freedom to write and read a file anywhere on the victim’s system.
Proof of Concept (PoC)
The following code snippet is publicly available PoC (on GitHub) for CVE-2022-30333.
The attacker provides a target along with some file data as input.
The code generates a .rar that will exploit the vulnerability and extract the file to that location.
PoC for the Zimbra vulnerability
Impact & Mitigation
Impact
Mitigation
Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
The above access can be exploited for
Stealing user credentials
Privilege escalation
Installing backdoors
Update Zimbra webmail servers to binary version 6.12.
User-awareness training must be conducted to allow individuals to distinguish between an authentic domain and its phishing counterpart.
Indicators of Compromise (IoCs)
Based on the phishing campaign exploiting the Zimbra Vulnerability, the following are the IOCs.