Zimbra Collaboration RCE Vulnerability

By

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Zimbra Collaboration is a collection of tools designed for collaboration. Tools within the suite include an email server, a chat server, a file sharing server, a shared calendar, and an email client. The application’s web mail client and the admin console can be accessed through HTTP.

  A directory traversal vulnerability has been reported in Zimbra Collaboration. The vulnerability is due to improper validation of zip files uploaded to the mboximport endpoint.

  A remote, unauthenticated attacker could exploit this vulnerability by uploading a crafted zip file to the target server. Successful exploitation could result in the attacker writing files outside of the expected document root, in the worst case, leading to arbitrary code execution under the security context of the server process.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-27925.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  This vulnerability is due to improper validation of zip files uploaded to the mboximport endpoint. POST requests to the mboximport endpoint are processed by the target server via the doPost() method of MailboxImportServlet. This method searches for the provided account name and whether it already has a mailbox associated with it. If all checks are passed, the importFrom() method is called, which creates a ZipBackupTarget object based on the ZIP file provided in the POST body. Then, the restore() method of this object is called, which eventually calls unzipToTempFiles() to extract the ZIP file’s contents. This method iterates over the files contained in the ZIP file by calling getNextEntry() of java.util.zip.ZipInputStream. For each file, a java.io.File object is created with a temporary directory and the file name from the ZIP. However, no input validation is done on the filename contained in the ZIP, allowing specified names with directory traversal characters, leading to files being created outside of the temporary directory specified.

  A remote, unauthenticated attacker could exploit this vulnerability by uploading a crafted zip file to the target server. Successful exploitation could result in the attacker writing files outside of the expected document root, in the worst case, leading to arbitrary code execution under the security context of the server process.

Triggering the Problem:

  • The target host is running a vulnerable version of the product.
  • The attacker has network connectivity to the target host.

Triggering Conditions:

  The attacker sends a malicious request to the mboximport endpoint on the target server containing a crafted ZIP file in the POST body. The vulnerability is triggered when the affected program processes the malicious request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3214 Zimbra Collaboration mboximport Directory Traversal 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisories regarding this vulnerability:
  Vendor Advisory 1
  Vendor Advisory 2

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.