A Comprehensive Analysis of the Zimbra Vulnerability CVE-2022-30333
| Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-30333 |
CVSS:3.0 Score:
7.5 |
|---|
Executive Summary
| THREAT | IMPACT | MITIGATION |
|---|---|---|
|
|
|
Analysis
- CloudSEK’s contextual AI digital risk platform XVigil has identified multiple threat actors exploiting CVE-2022-30333, to target vulnerable Zimbra webmail servers.
- CVE-2022-30333 is a path traversal vulnerability in RarLab’s UnRAR binary that can lead to remote code execution (RCE) on Zimbra webmail and potentially affect others.
- Zimbra is a well-known webmail service used by several businesses and government organizations, hence the vulnerability poses a high risk of exploitation.
- The UnRAR 6.17 and earlier versions of the following software are affected by this vulnerability:
- Zimbra 9.0.0 patch 24 and earlier
- Zimbra 8.8.15 patch 31 and earlier
Information from Cybercrime Forums
- A significant amount of chatter was observed on cybercrime forums and channels regarding CVE-2022-30333.
- Threat actors were seen selling the exploits for this vulnerability at USD 4,000.
- Multiple threat actors were seen posting about exploiting the Zimbra vulnerability to gain access to Government mail servers.
Information from OSINT
- Multiple threat actors are actively exploiting and sharing the PoCs of this vulnerability.
- CVE-2022-30333 has been exploited to successfully launch a spear phishing campaign against the European government and agencies.
- Attackers are using this vulnerability to send out email messages and lure victims to click on specially crafted malicious links.
- The emails sent out in the spear-phishing campaign were frequently formatted as follows:
- <firstname>_<lastname><numbers>@outlook.com
- <firstname><lastname><numbers>@outlook.com
- A significant surge has been observed in the number of tweets mentioning CVE-2022-30333 over the past month.
Technical Details
- An attacker uses maliciously crafted RAR archives, that can contain symbolic links pointing outside of the extraction directory, for de-referencing with a second file.
- Threat actors are using DosSlashToUnix() function to convert backslashes (\) to forward slashes (/) in order to ensure that a RAR archive created on Windows can be extracted on a Unix system.
- The exploit gives threat actors freedom to write and read a file anywhere on the victim’s system.
Proof of Concept (PoC)
- The following code snippet is publicly available PoC (on GitHub) for CVE-2022-30333.
- The attacker provides a target along with some file data as input.
- The code generates a .rar that will exploit the vulnerability and extract the file to that location.
Impact & Mitigation
| Impact | Mitigation |
|---|---|
|
|
Indicators of Compromise (IoCs)
Based on the phishing campaign exploiting the Zimbra Vulnerability, the following are the IOCs.
| <firstname>_<lastname><numbers>@outlook.com
<firstname><lastname><numbers>@outlook.com |
|
|---|---|
| URLs | |
| hxxp://fireclaws.spiritfield[.]ga/.jpeg?[integer]
hxxp://feralrage.spiritfield[.]ga/.jpeg?[integer] |
hxxp://oaksage.spiritfield[.]ga/.jpeg?[integer]
hxxp://claygolem.spiritfield[.]ga/.jpeg?[integer] |
| IP Address | |
| 108.160.133.32
172.86.75.158 |
206.166.251.141
206.166.251.166 |
| Infrastructure | |
| Amazon-check[.]cf
Bruising-intellect[.]ml Chargedboltsentry.spiritfield[.]tk |
Mail.bruising-intellect[.]ml
Tigerstrike.iceywindflow[.]ml |
| SubDomain | |
| hxxps://update.secretstep[.]tk/.jpeg?u=[integer]&t=[second_integer] | |
References
- #Traffic Light Protocol – Wikipedia
- Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra | Volexity
- CVE STALKER -The most viral CVE(vulnerability) ranking chart-
- Unrar Path Traversal Vulnerability affects Zimbra Mail (sonarsource.com)
Appendix
Tags:
No items found.