Are your Customers a victim of the Zimbra Exploit?

Posted on
(Last Updated On: August 15, 2022)

We have an active Zimbra exploit, in the wild, with espionage and “others” trying to get into +22: vulnerable systems. Everyone using Zimbra Collaboration (ZCS) who has not recently patched is at risk. Volexity Threat Research responsibly disclosed this risk on August 10th, 2022. Zero-Day exploitation was active on the disclosure day. Shadowserver is tracking +22K exposed systems as of 2022-08-13. You can get a list of exposed Zimbra servers on your network with Shadowserver’s The Vulnerable HTTP Report.

Shadowserver’s 2022-08-13 report on CVE-2022-37042

The two Zimbra Exploits are critical with high CVSS scores. They were Initially “exploited by espionage-oriented threat actors, but was later picked up by other threat actors and used in mass-exploitation attempts” (from Voloxity’s report).

  • CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042, which allows for unauthenticated remote code execution.
  • CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability: Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925, which allows for unauthenticated remote code execution.

US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-37042 and CVE-2022-27925 to its Known Exploited Vulnerabilities Catalog on Thursday and instructed government agencies to install patches by September 1.

Another Zero-Day – What do You Do?

Internet Service Providers (ISPs) and Cloud Providers are in the position to alert their customers using Zimbra Collaboration (ZCS) before they are exploited.

EXPLOITED SERVICES INSIDE YOUR NETWORK INCREASE THE RISK TO YOUR NETWORK AND OTHER CUSTOMERS!

Shadowserver’s Daily Network Reports are free to ISPs, CSPs, Cloud Providers, and any organizations with ASNs, IPs, and Domains. The Vulnerable HTTP Report explicitly details Zimbra Communication Suite. Just search for “cve-2022-37042.”

You then get a list of customers who need to upgrade their software rapidly. Zimbra has everything ready for download at their Zimbra Security Advisories page.

Shadowserver’s Daily Report pulls data from a wide range of services providing a comprehensive Attack Surface Risk Report.

The Zimbra Exploit is yet another exploit to be expected. What is helpful is to have systems in place to alert you when there is an issue and help you with your customers who might be vulnerable (i.e. ISPs and Cloud Operators). Shadowserver’s Vulnerability Notifications are one of the key features of Shadowserver’s Daily Network Reports. The industry works with Shadowserver to get the word out to the thousands of networks supported by the Daily Network Reports.

Don’t miss out and put your network at risk. Take the time to subscribe to the reports and use them to find vulnerable systems on your network, reduce the risk to your network, and invest in the Internet’s “public health.”

How Bad is it?

Volexity identified over 1,000 Zimbra Exploited instances worldwide that were already backdoored and compromised by their disclosure on August 10th. This was just the start. As shown via the Shadowserver data, 26,854 out of 33,733 (79.6%) instances exposed on the Internet on 2022-08-13 were likely vulnerable & may be compromised. ~28K is much higher than the ~1000 Volexity found. We’re in a race to get systems patched!

Geographic distribution of compromised Zimbra servers (by geolocation of IP)

Note: Volexity has done a great job with the Zimbra Exploit vulnerability disclosure. They worked with Zimbra, updated national CERT Teams, and communicating with the industry. It is not time to find the vulnerable systems, notify and help patch.

The following are key references, the CVE details, and Zimbra’s Security Advisory Page.

  • Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925, AUGUST 10, 2022 by Volexity Threat Research.
  • CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) contains flaws in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042, which allows for unauthenticated remote code execution.
  • CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability: Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925, which allows for unauthenticated remote code execution.
  • Zimbra Security Advisories – Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download page.
  • US CISA’s KNOWN EXPLOITED VULNERABILITIES CATALOG For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.
  • Recorded Future: CISA orders civilian agencies to patch Zimbra bug after mass exploitation by Jonathan Greig August 12, 2022

Are you looking for more practical, low-cost security Advice?

The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.