A vulnerability exists in cpio unpacking utility a component of Zimbra’s antivirus engine Amavis which in turn is a component of the Zimbra Collaboration Suite.
The key issue is that there is a path-traversal bug in the cpio command line utility that can extract an arbitrary file to an arbitrary location on a Linux system.
The bug allows threat actors to upload malicious files to the affected server which could lead to RCE. An attack scenario involves an attacker sending an email with an archive file attachment containing a .cpio, .rpm, or .tar extension, Amavis will then use cpio utility to extract it so as to scan for malware if pax is not installed.
This is a problem since some Linux distros don’t have pax installed by default.
The vulnerability is similar to CVE-2022–30333 which affects the .rar archive file format rather than .tar or .cpio.
Incident Response
A patch was released by Zimbra on the 10th of October 2022.
Patched versions: Zimbra Collaboration Suite 9.0.0 P27, Zimbra 8.8.15 Patch 34
CVSS Score: 9.5
Exploitation
Hackers can exploit this easily since a Metasploit module was added to the latest versions of Metasploit.
Step-by-step exploitation
- Assuming you already have Metasploit installed open the terminal and run msfconsole
- If you are not using the latest version of Metasploit run msfupdate (you may need to run msfconsole again after to see changes)
- msf6 > search zimbra
4. msf6 > use exploit/linux/http/zimbra_cpio_cve_2022_41352
5. Run msf6 > show options
6. Set Rhost and run
Remediation
- Update to the latest versions
- install pax so that Amavis prioritizes pax over cpio when extracting archives
Security Advisory