Critical Remote Code Execution Vulnerability Discovered in Zimbra’s Cpio Utility

Dawn Treader
January 5, 2022

CVE-2022-41352 Zimbra Remote Code Execution – Executive Summary

A vulnerability known as Remote Code Execution has been found in the Cpio utility, a third-party tool used in Zimbra to extract email attachments that have been archived. This vulnerability allows a remote attacker to perform an arbitrary code execution attack on a vulnerable instance of Zimbra, without needing any authentication beforehand. The flaw has been assigned the identifier CVE-2022-41352 and has been given a critical rating with a base score of 9.8 on the CVSS scale. The vulnerability has been exploited since early September 2022.

CVE-2022-41352 Zimbra Remote Code Execution via Arbitrary Directory Traversal

Zimbra is a popular collaboration suite that has an SMTP server component. Zimbra uses the cpio library to extract attachments like “.tar” files or “.zip” files. The files extracted are sent to a component named Amavis for spam checks and malware inspection. Amavis is an anti-virus engine in the Zimbra collaboration suite. The cpio library used in Zimbra versions 8.8.15 to 9.0 has a vulnerability that, when triggered, leads to extracting files in an archive to arbitrary locations on the filesystem. A carefully constructed “.tar” archive that contains files that are referenced as symbolic links on the file system will have the files extracted to the respective locations on the file system as pointed to by the symbolic links.

An example is the following “.tar” file constructed with the contents as follows—

$ tar tvf ZimbraPayload.tar

startup -> /opt/zimbra/jetty_base/webapps/zimbra/public/jsp


The aforementioned tar file, when extracted by the “cpio” library, will have the JSP file WebShell.jsp extracted to the “startup” folder pointed to by the symbolic link “/opt/zimbra/jetty_base/webapps/zimbra/public/jsp”. Typically, the webshell would be uploaded to a path accessible by the webmail component of Zimbra. The result of a successful exploitation would be that an attacker has complete control over the Zimbra server and can execute commands on the Zimbra server via the uploaded JSP webshell. This vulnerability was actively exploited in 2022*, and APT groups leveraged this vulnerability to have malware installed on affected servers. Synacor, the developers of Zimbra, have released patches to address this vulnerability.

Vehere Network Detection and Response: Protection Against Threat’s Past and Present

Vehere’s research wing, Dawn Treader, actively researches new vulnerabilities and malware outbreaks in order to improve the detection efficacy of its NDR solution. Vehere NDR’s Rule Engine is constantly updated to detect threats like the one discussed in this blog.

In addition to a comprehensive Rule Set that guides the Rule Engine in detecting attacks and behavior anomalies, the NDR’s ML engines are trained to detect behavioral anomalies in customer networks. This, combined with a comprehensive set of NDR enhancements to detect lateral movement activity in a network, enables customers to get a holistic view of any violation of their computing assets and deter the progress of the attack.


Share post: