Security News > 2022 > August > If you haven't patched Zimbra holes by now, assume you're toast

If you haven't patched Zimbra holes by now, assume you're toast
2022-08-23 00:32

In a security alert updated on Monday, the US government's Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center warned that cybercriminals are actively exploiting five vulnerabilities in the Zimbra Collaboration Suite to break into both government and private-sector networks.

Zimbra is an email and collaboration platform that claims to power "Hundreds of millions of mailboxes in 140 countries."

The five CVE-listed bugs being exploited include CVE-2022-27924, which Zimbra patched in May and received a 7.5 out of 10 CVSS score.

To fix this issue, Zimbra made configuration changes to use the 7zip program instead of UnRAR. We're told that a miscreant is selling an exploit kit for CVE-2022-30333, and there's also a Metasploit module that creates a RAR file, which then can be emailed to a Zimbra server to exploit this flaw.

The fifth known Zimbra vulnerability under active exploit, CVE-2022-24682, is a medium severity cross-site scripting bug that allows crooks to steal session cookie files.

Volexity discovered this one, too, and Zimbra patched it in February.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/23/cisa_zimbra_signatures/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-09 CVE-2022-30333 Path Traversal vulnerability in multiple products
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file.
network
low complexity
rarlab debian CWE-22
7.5
2022-04-21 CVE-2022-27924 Injection vulnerability in Zimbra Collaboration 8.8.15/9.0.0
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance.
network
low complexity
zimbra CWE-74
7.5
2022-02-09 CVE-2022-24682 Improper Encoding or Escaping of Output vulnerability in Zimbra Collaboration
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021.
network
low complexity
zimbra CWE-116
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zimbra 7 0 39 16 8 63