By linking two security bugs in the groupware, attackers have taken over thousands of Zimbra installations since the end of June.
The authors of the groupware Zimbra warn of a security hole that allows the execution of arbitrary code. Security researchers have found indications that this vulnerability – a variant of a previously patched problem – has been actively exploited by attackers for over a month.
Thousands of Zimbra instances compromised
By extending the attack to a known and patched vulnerability, attackers could execute arbitrary code without prior authentication and have already taken over thousands of instances of the groupware.
In March, the Zimbra developers fixed an issue in the mailbox import functionality (CVE-2022-27925) that allowed uploading arbitrary ZIP files in the context of the Zimbra installation. Zimbra had a similar problem with RAR files at the end of June. Attackers could have uploaded such a web shell to the Zimbra server and taken it over – but according to the assessment at the time, they needed admin rights.
However, security service provider Volexity found evidence in July and August that an exploit for CVE-2022-27925 was used to successfully take over Zimbra servers without the attackers having first gained admin access. In their analysis, the security researchers actually developed a way to bypass the authentication that was actually required and reported this problem (CVE-2022-37042) to the Zimbra developers.
Volexity has now published its findings in a detailed blog article. The combination of these two vulnerabilities makes Zimbra “trivially vulnerable,” as Volexity President Steven Adair wrote on Twitter. According to Adair, Volexity has sent the national CERTs a list of affected Zimbra instances.
However, admins should not wait for a warning from their responsible CERT, but from theirs Zimbra-Update instance immediately. The versions 8.8.15P33 and 9.0.0P26 fix both security gaps and should be installed as soon as possible. Zimbra instances with versions older than 8.8.15P31 or 9.0.0P24 must also be considered compromised and should be subjected to a close security check, advises Volexity.