CVE-2022-41352 Zimbra Collaboration (ZCS) Vulnerability

CVE: CVE-2022-41352

Vendor: Zimbra

Software: Collaboration (ZCS)

Date Last Updated: 10/24/2022

CVSS Score: 9.8

CVSS Severity: Critical

EPSS Probability: 0.14903

EPSS Percentile: 95.739

CISA KEV Date Added: 10/24/2022

CISA KEV Due Date: 11/10/2022

Nucleus Security Research Team Analysis

Security Researcher: Ryan Cribelar
Last Updated: October 24th, 2022

First disclosed on the Zimbra forums on September 25, CVE-2022-41352 was deemed a zero-day affecting up to 876 Zimbra servers during a wave of mass exploitation. The vulnerability exists due to the mechanism in which Amavis (Zimbra’s antivirus engine) scans inbound emails and their attachments, with the addition of an outdated cpio package. An official security advisory has been published and linked below, as well as an update from Zimbra with a warning to install the package pax as this is what Amavis uses to extract contents of compressed attachments.

Zimbra points out that this package should be installed as a dependency of Zimbra, however some CentOS installations may be missing the package. Moving forward, this package will now be a requirement for Zimbra installations to allow from Amavis to behave properly when assessing attachments. An update to 9.0.0 P27 will resolve this and several other vulnerabilities

Security Advisory: