Zimbra Collaboration Suite TAR Remote Code Execution


Zimbra Collaboration Suite (ZCS) is a collection of tools which include an email server, a chat server, a file sharing server, a shared calendar, and an email client. The application’s web mail client and admin console can be accessed through HTTP. Amavisd runs as a daemon process and listens on TCP port 10024 for incoming SMTP connections. GNU cpio is a tool for creating and extracting archives, or copying files from one place to another. It handles many cpio formats and reading and writing TAR files.

Zimbra TAR Remote Code Execution | CVE-2022-41352
An issue was discovered in ZCS 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. This vulnerability tracked as CVE-2022-41352 (CVSS score 9.8) is a remote code execution flaw that allows attackers to send an email with malicious archive attachment. This attachment bypasses antivirus checks and plants a web shell in the ZCS server.
The root cause of the vulnerability is using the ‘cpio’ file archiving utility to extract archives when Amavisd scans a file for viruses. The cpio component has a flaw that allows an attacker to create archives that can be extracted anywhere on a filesystem accessible to Zimbra.
When an email is sent to a Zimbra server, the Amavis security system will extract the archive to perform a virus scan of its contents. However, if it extracts a specially crafted .cpio, .tar, or .rpm archive, the contents could be extracted to the Zimbra webroot.

In the following exploit the attacker sends an email with subject line ‘News’  that contains malicious attachments news.jpg and news.jpeg

Both the attachments are specially crafted .tar files but are named  .jpg and .jpeg


These contain a javascript ResourceVerificaton.jsp file that could deploy web shells to the Zimbra root, effectively giving an attacker shell access to the server.


SonicWall Capture Labs provides protection against this threat via following signatures:

  • ASPY 374: Malformed-File tar.OT_1
  • ASPY 379: Malformed-File tar.OT_2
  • GAV CVE-2022-41352.A
  • GAV CVE-2022-41352.A_1

Zimbra has patched this vulnerability.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.