About 1000 Zimbra Servers affected by Authentication Bypass Flaw


The Zimbra Collaboration Suite (ZCS) had a serious high severity authentication bypass vulnerability that put email security at risk. Over a thousand email servers were compromised by an attack on the vulnerability, according to researchers.

Many companies utilize Zimbra as an email and collaboration tool, including governmental and financial institutions. Today, 140 nations and more than 200,000 enterprises use Zimbra’s email and collaboration platform. There are more than 1,000 businesses in the public and private sectors among them.

Vulnerability Overview

Researchers reported that attackers have been actively exploiting the CVE-2022-27925 vulnerability in Zimbra Collaboration Suite (ZCS) with a Base Score of 7.2. It is a Remote Code Execution vulnerability that requires authentication and could be evaded when CVE-2022-37042 is exploited.

The mboximport feature of the ZCS version 8.8.15 and 9.0 has this vulnerability that allows arbitrary files to be uploaded, which may lead to remote code execution.

Zimbra Collaboration Suite (ZCS) MailboxImportServlet contains CVE-2022-37042, which permits bypassing authentication. There would be no requirement for legitimate administrator credentials when accessing mboximport thanks to the discovery that it may be abused in a chain with CVE-2022-27925 to achieve unauthenticated remote code execution.

Impact

By placing web shells in certain locations after successfully exploiting this vulnerability, attackers can get persistent access to the compromised zimbra email servers.

Are There Any Patches Available to Address this Security Flaw?

Fixes for CVE-2022-37042 and CVE-2022-27925 have been made available by Zimbra. If you use versions older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26, it is highly recommended to apply the most recent fixes.

Mitigations

The most recent ZCS releases are advised for organizations to upgrade to, as stated on Zimbra Security – News & Alerts and Zimbra Security Advisories.

In order to lower the danger of compromise, CISA and the MS-ISAC also advise enterprises to implement the following best practises:

  • Keep an incident response plan maintained and test it.
  • Make sure your company has a vulnerability management programme in place, and that it gives patch management and vulnerability screening for known exploited vulnerabilities top priority.
  • Configure and secure network devices that connect to the internet properly.
  • Avoid making administrative interfaces accessible over the internet.
  • Disable network protocols and ports that are not in use.
  • Remove or disable unused network devices and services.
  • Adopt zero-trust architecture and principles, such as micro-segmenting networks and features to prevent or restrict lateral movement.
  • Enforcing MFA that is resistant to phishing for all users and VPN connections.
  • Limiting network access to reliable hardware and users.

Incident Response

CISA and the MS-ISAC advise taking the initial measures listed below in the event that a system has been compromised by active or recently active threat actors in an organization’s environment:

  • Gather and examine artifacts, such as active programs or services, erratic logins, and recent network connections.
  • Put possibly harmed hosts in quarantine or take them offline.
  • Reimage the affected hosts.
  • Create fresh account credentials.
  • Inform your internal IT or SOC of the compromise.