Zimbra Collaboration Suite Actively Exploited Via an Authentication Bypass Vulnerability CVE-2022-37042

Summary

RCE vulnerability in Zimbra Collaboration Suite (ZCS) being actively exploited in the wild.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-37042 CVSS:3.0 Score: 9.8

Executive Summary

THREAT IMPACT MITIGATION
  • RCE vulnerability in Zimbra Collaboration Suite (ZCS) being actively exploited in the wild.
  • The vulnerability is listed in CISA’s “Known exploited Vulnerabilities Catalog”.
  • The vulnerability can allow threat actors to gain initial access to an organization’s network and conduct further exploitation.
  • Update ZCS to the following patches:
    • 9.0.0P26
    • 8.8.15P33

Analysis

  • On 10 May 2022, Zimbra disclosed CVE-2022-27925 as an authenticated directory traversal vulnerability.
  • This vulnerability affects the Zimbra Collaboration Suite (ZCS) releases 8.8.15 and 9.0, which use mboximport functionality to receive ZIP archives and extract files from them.
  • However, on 10 August 2022, Volexity, a cyber forensics and incident response firm, released a report stating that this vulnerability was used to exploit ZCS email servers of multiple organizations without having authenticated access to the ZCS instances.
  • The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8.
  • CVE-2022-37042 exits due to an incomplete patch of the CVE-2022-27925 vulnerability.
  • Further investigation by Volexity verified that it was possible to bypass authentication when accessing the mboximport endpoint.
  • Based on internet-wide scans conducted by Volexity, more than 1,000 ZCS servers have been compromised and backdoored.

Technical Analysis

During the inspection of the source code of the MailboxImport servlet by Volexity, it was revealed that:
  • The doPost function, which is called to check for user authentication when the URL was accessed, was flawed.
  • The flaw in the code was found to be an absence of a return statement, after authentication check and an error message set on authentication failure.
  • This led to the execution of the remaining code even when the user was not authenticated, leading to the upload of the malicious zip file on the server.
Flawed logic in the doPost function in MailboxImport (Source: Volexity)
Flawed logic in the doPost function in MailboxImport (Source: Volexity)
 

Information from OSINT

  • The Shodan query for ZCS instances shows a total of 72,404 active instances worldwide.
Shodan result for Zimbra instances
Shodan result for Zimbra instances

Impact & Mitigation

Impact Mitigation
  • Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
  • The initial access can be exploited for:
    • Stealing user credentials
    • Privilege escalation
    • Installing backdoors
    • Deploying ransomware
    • Uploading malicious files
  • Update the ZCS to the following patched versions:
    • 9.0.0P26
    • 8.8.15P33

References

Appendix

Geographic distribution of compromised Zimbra servers (Source: Volexity)
Geographic distribution of compromised Zimbra servers (Source: Volexity)
   

Table of Contents

Request an easy and customized demo for free