Zimbra Collaboration Suite unauthenticated remote code execution (RCE) exploitation

Overview

A new advisory has been published by Cybersecurity & Infrastructure Security Agency (CISA) warning that malicious actors are chaining together five different CVEs in order to actively target the Zimbra Collaboration Suite (ZCS).

The vulnerabilities being exploited by malicious actors are being tracked with the following CVEs:

CVE-2022-27924: An unauthenticated memecache command injection vulnerability within affected ZCS instances. Successful exploitation of this vulnerability could allow for a malicious actor to exfiltrate email client credentials in cleartext with the need for user interaction.

CVE-2022-27925: A directory traversal vulnerability found within versions of ZCS which utilise the ‘mboximport’ functionality to receive and extract files from ZIP files. In order to successfully exploit this vulnerability, a malicious actor must be authenticated against the ZCS client, or supply the payload to an authenticated user. This vulnerability has been chained in active exploitation in conjunction with CVE-2022-37042.

CVE-2022-37042: An authentication bypass vulnerability found within the MailboxImportServlet function in ZCS. Successful exploitation of this vulnerability would allow for a malicious actor to access vulnerable ZCS instances without the need for valid credentials.

CVE-2022-30333: A directory traversal vulnerability found within RARLAB UnRAR on Linux and Unix. Successful exploitation of this vulnerability allows a malicious actor to write to files during the extract operation. To exploit this vulnerability a malicious actor can specifically craft a RAR file which is subsequently sent to a vulnerable ZCS client. Any RAR file which is sent to a ZCS client is automatically unpacked for malware inspection, therefore a payload would be triggered.

CVE-2022-24682: A cross-site scripting (XSS) vulnerability within the ZCS webmail client. Successful exploitation of this vulnerability would allow a malicious actor to steal valid user session cookies.

Malicious actors have then been seen dropping a Cobalt Strike beacon on target devices for further command-and-control (C2).

Impact

Chaining the aforementioned CVEs within the Zimbra product together in a successful attack would enaled a malicious actor to perform remote code execution against target systems allowing for a foothold within an affected system. In the latest large scale attack the malicious actors have been noted as installing Cobalt Strike onto victim machines.

Vulnerability Detection

Zimbra Collaboration Suite prior to 8.815 and 9.0

Affected Products

Zimbra Collaboration Suite prior to 8.815 and 9.0 for CVE-2022-24682 and CVE-2022-27924.

Zimbra remains vulnerable to CVE-2022-27925 in conjunction with CVE-2022-37042, and CVE-2022-30333 without effective multi-factor authentication (MFA) policies in effect.

Containment, Mitigations & Remediations

It is strongly advised that customers keep their devices updated with regular patching cycles. Latest ZCS patching information can be found on the official vendor security advisory page.

ZCS users are to also ensure that zero-trust principles including strong MFA and virtual private networks (VPN) use are in force to disrupt the attackers ability to implement email credential hacking techniques. Furthermore, customers are advised to configure and secure internet-facing network devices by disabling unused or unnecessary network ports and protocols to not expose management interfaces to the internet.

Indicators of Compromise

Outbound network connections to the following IP addresses: 207[.]148[.]76[.]235 66[.]115[.]189[.]144 66[.]115[.]189[.]144

Checking affected systems for the presence of a webshell in the following file directory:

/opt/zimbra/mailboxd/webapps/zimbraAdmin/

Deploy YARA rules to detect malicious activity.

Threat Landscape

Without strong cyber hygiene principles such as MFA, an attacker that exploits these vulnerabilities would have multiple options to attack the network and maintain a level of persistence. Therefore, while these vulnerabilities are concerning, they require a lack of security to be used effectively.

Unpatched ZCS systems in both private and government sectors present a desirable target for threat actors due to the CVEs ability to extract key sensitive data, such as email account credentials.

Mitre Methodologies

T1210 – Exploitation of Remote Services

T1557 – Adversary-in-the-Middle

T1554 – Compromise Client Software Binary

Further Information

CISA notification
Zimbra Security Advisory
News article release for mass exploitation
Threat intel Twitter post by user 1ZRR4H