CVE-2022-37042:Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 contain a vulnerability in the mboximport ZIP handling that, when exploited without authentication, allows uploading arbitrary files and leads to directory traversal and remote code execution.

splash
Back

Description Preview

Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0 expose an mboximport feature that processes ZIP archives. An attacker who bypasses authentication (no authtoken) can upload arbitrary files to the server, enabling directory traversal and remote code execution. This issue stems from an incomplete fix for CVE-2022-27925. The vulnerability is critical due to its network scope, lack of required privileges, and potential impact on confidentiality, integrity, and availability.

Overview

ZCS 8.8.15 and 9.0’s mboximport ZIP extraction capability can be abused by unauthenticated attackers to place files onto the system, potentially executing code remotely. The flaw is a follow-on to an incomplete fix for CVE-2022-27925, amplifying risk by permitting path traversal and arbitrary file writes via crafted ZIP uploads. The CVSS indicates high severity with attacker-controlled file placement and code execution possible over the network.

Remediation

  • Upgrade to a patched Zimbra release that includes the complete fix for CVE-2022-37042; apply all available security updates from Zimbra advisories.
  • Enforce authentication for the mboximport ZIP upload path; restrict access to trusted users and networks, or disable the mboximport ZIP import feature if it is not required.
  • If upgrading is not feasible, implement mitigations: disable or temporarily remove or harden the mboximport ZIP functionality; place strict access controls on the import endpoint; implement a web application firewall rule to block path traversal patterns in ZIP uploads (e.g., ../ sequences and absolute paths).
  • Implement input validation and sandboxed extraction: validate ZIP contents before extraction, sanitize file paths, extract ZIPs to a non-privileged, isolated directory with strict file permissions, and avoid writing files to sensitive system paths.
  • Enhance monitoring and detection: enable detailed logging around file uploads and ZIP extraction, review for unusual file names or paths, and monitor for known exploitation indicators; consider rotating credentials and reviewing access controls.
  • Verify that the fix for CVE-2022-27925 is fully applied and tested in your environment; conduct a targeted test to ensure path traversal and RCE no longer succeed.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Low
    Manufacturing
  2. Accommodation & Food Services: Low
    Accommodation & Food Services
  3. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  4. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  5. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  6. Construction: Low
    Construction
  7. Educational Services: Low
    Educational Services
  8. Finance and Insurance: Low
    Finance and Insurance
  9. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  10. Information: Low
    Information
  11. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background