If you haven't patched Zimbra holes by now, assume you're toast

Here's how to detect an intrusion via vulnerable email systems


Organizations that didn't immediately patch their Zimbra email systems should assume miscreants have already found and exploited the bugs, and should start hunting for malicious activity across IT networks, according to Uncle Sam.

In a security alert updated on Monday, the US government's Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals are actively exploiting five vulnerabilities in the Zimbra Collaboration Suite (ZCS) to break into both government and private-sector networks. The agencies have provided fresh detection signatures to help admins identify intruders abusing these flaws.

The software maker has issued patches for all five flaws, starting in May and with the most recent being rolled out in late July.

Zimbra is an email and collaboration platform that claims to power "hundreds of millions of mailboxes in 140 countries."

The five CVE-listed bugs being exploited include CVE-2022-27924, which Zimbra patched in May and received a 7.5 out of 10 CVSS score. This high-severity bug can be used by an unauthenticated user to ultimately steal email account credentials in cleartext form with no user interaction.

SonarSource security researchers discovered the flaw in March, and published a detailed technical analysis that explained how an attacker could inject arbitrary memcache commands into a targeted instance, causing an overwrite of arbitrary cached entries, allowing them to steal account credentials.

In June, the security biz publicly released proof-of-concept (POC) exploits for this vulnerability. "Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks," the Feds warned.

Another high-severity vulnerability, CVE-2022-27925, which also received a 7.4 CVSS rating, could allow an authenticated user with admin privileges to upload arbitrary files, thus leading to directory traversal. When combined with CVE-2022-37042, CVE-2022-27925 could be exploited without valid administrative credentials, according to researchers from Volexity, which reported more than 1,000 Zimbra email servers had been compromised in attacks chaining the two vulnerabilities.

Further big problems found

CVE-2022-37042 is a critical remote authentication bypass vulnerability that received a 9.8 CVSS rating. Zimbra issued fixes for both of these bugs in late July.

CVE-2022-30333 is a 7.5 rated high-severity flaw in RARLAB UnRAR, used by Zimbra, before 6.12 on Linux and Unix-flavored systems that allows miscreants to write to files during an extract operation. 

"In the case of Zimbra, successful exploitation gives an attacker access to every single email sent and received on a compromised email server. They can silently backdoor login functionalities and steal the credentials of an organization's users," according to SonarSource, which discovered the bug. "With this access, it is likely that they can escalate their access to even more sensitive, internal services of an organization." 

To fix this issue, Zimbra made configuration changes to use the 7zip program instead of UnRAR.

We're told that a miscreant is selling an exploit kit for CVE-2022-30333, and there's also a Metasploit module that creates a RAR file, which then can be emailed to a Zimbra server to exploit this flaw.

The fifth known Zimbra vulnerability under active exploit, CVE-2022-24682, is a medium severity cross-site scripting bug that allows crooks to steal session cookie files. Volexity discovered this one, too, and Zimbra patched it in February.

In its advisory, CISA recommends security teams "especially at organizations that did not immediately update their ZCS instances upon patch release" search for any signs of malicious activity using a handful of third-party detection signatures.

This includes the following indicator of compromise: connections to or from 207.148.76[.]235, which is a Cobalt Strike command-and-control domain.

Also on Monday, CISA updated the advisory with new snort signatures that businesses can deploy to detect signs of cybercriminals on their network.

And finally the Feds suggest deploying third-party YARA rules to detect potential webshells. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022