9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:N/I:P/A:N
Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances.
Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives.
The flaw, in turn, is said to be rooted in another underlying vulnerability (CVE-2015-1197) that was first disclosed in early 2015, which according to Flashpoint was rectified, only to be subsequently reverted in later Linux distributions.
“An attacker can use cpio package to gain incorrect access to any other user accounts,” Zimbra said in an advisory published last week, adding it “recommends pax over cpio.”
Fixes are available in the following versions -
All an adversary seeking needs to do to weaponize the shortcoming is to send an email with a specially crafted TAR archive attachment that, upon being received, gets submitted to Amavis, which uses the cpio module to trigger the exploit.
Cybersecurity company Kaspersky has disclosed that unknown APT groups have actively been taking advantage of the flaw in the wild, with one of the actors “systematically infecting all vulnerable servers in Central Asia.”
The attacks, which unfolded over two attack waves in early and late September, primarily targeted government entities in the region, abusing the initial foothold to drop web shells on the compromised servers for follow-on activities.
Based on information shared by incident response firm Volexity, roughly 1,600 Zimbra servers are estimated to have been infected in what it calls a “mix of targeted and opportunistic attacks.”
“Some web shell paths […] were used in targeted (likely APT) exploitation of key organizations in government, telecommunications, and IT, predominantly in Asia; others were used in massive worldwide exploitation,” the company said in a series of tweets.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:N/C:N/I:P/A:N