The US government really hopes you patched your Zimbra server • The Register


According to Uncle Sam, organizations that did not patch their Zimbra email systems immediately should assume that the bad guys have already found and exploited the bugs, and should start looking for malicious activity on computer networks.

In a security alert updated on Monday, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals are actively exploiting five vulnerabilities in the Zimbra Collaboration Suite (ZCS) penetrate government and private networks. The agencies have provided new detection signatures to help administrators identify intruders abusing these flaws.

The software maker released patches for all five flaws, starting in May with the most recent rolling out at the end of July.

Zimbra is a messaging and collaboration platform that claims to power “hundreds of millions of mailboxes in 140 countries”.

The five exploited CVE listed bugs include CVE-2022-27924, which Zimbra patched in May and received a CVSS score of 7.5 out of 10. This high-severity bug can be used by an unauthenticated user to ultimately steal information email account identification in clear text form without user interaction.

SonarSource security researchers discovered the flaw in March and published a detailed technical analysis that explained how an attacker could inject arbitrary memcache commands into a targeted instance, causing arbitrary cached entries to be overwritten, allowing them to steal the account credentials.

In June, the security firm publicly released proof-of-concept (POC) exploits for this vulnerability. “Because of the POC and ease of exploitation, CISA and MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks,” the federal authorities warned.

Another high-severity vulnerability, CVE-2022-27925, which also received a CVSS rating of 7.4, could allow an authenticated user with administrator privileges to upload arbitrary files, resulting in directory traversal. When combined with CVE-2022-37042, CVE-2022-27925 could be exploited without valid administrative credentials, according to Volexity researchers, who reported that over 1,000 Zimbra mail servers were compromised in attacks linking the two vulnerabilities.

Other major issues found

CVE-2022-37042 is a critical remote authentication bypass vulnerability that has been assigned a CVSS rating of 9.8. Zimbra released fixes for these two bugs at the end of July.

CVE-2022-30333 is a high-severity flaw rated 7.5 in RARLAB UnRAR, used by Zimbra, prior to 6.12 on Linux and Unix systems that allows malefactors to write to files during an extraction operation.

“In the case of Zimbra, a successful exploit gives an attacker access to every email sent and received on a compromised email server. They can covertly defeat login features and steal user credentials. an organization,” according to SonarSource, which discovered the bug. . “With this access, it is likely that they can escalate their access to even more sensitive internal services of an organization.”

To solve this problem, Zimbra changed the configuration to use the 7zip program instead of UnRAR.

We’re told a malefactor is selling an exploit kit for CVE-2022-30333, and there’s also a Metasploit module that creates a RAR file, which can then be emailed to a Zimbra server to exploit this flaw. .

Zimbra’s fifth known vulnerability under active exploit, CVE-2022-24682, is a medium-severity cross-site scripting bug that allows crooks to steal session cookie files. Volexity also discovered this one and Zimbra fixed it in February.

In its advisory, CISA recommends that security teams “particularly in organizations that did not immediately update their ZCS instances when the patch was released” to scan for any signs of malicious activity using a handful of third-party detection signatures.

This includes the following flag of compromise: connections to or from 207.148.76[.]235, which is a Cobalt Strike command and control domain.

Also on Monday, CISA updated the advisory with new snort signatures that companies can deploy to detect signs of cybercriminals on their network.

And finally, the feds suggest deploying third-party YARA rules to detect potential webshells. ®


Comments are closed.