Amavis parses the incoming email, recursively extracts attachments such as ZIP and RAR files, and then sends all files to Spam Checker Spamassassin and anti-virus ClamAV (3). Postfix then passes the email to Amavisd (2). Incoming emails are processed by Postfix via SMTP (1). The following graphic shows some of the software involved when a Zimbra instance receives an email: It also tries to detect spam and scan for viruses when an email is received. Background - Spam checking and the file format problemĪs Zimbra is an all-in-one solution, it comes with pre-configured software for sending and receiving emails. In the following sections, we go into detail about the attack surface we audited prior to the discovery of the unrar bug, its root cause, and how an unauthenticated attacker could exploit it to gain code execution on the Zimbra instance. Due to the way unrar is invoked, it is also expected that RarLab's implementation is installed, which is the vulnerable one. For instance, an unauthenticated attacker can write a JSP shell into the web directory while this is an unrelated service.Ī Zimbra instance is affected if unrar is installed, which is expected as it is required for spam checking and virus scanning of RAR archives. Zimbra is not at fault for this unrar vulnerability, but its exploitation is only possible due to the broad permissions associated with the impacted service. Only the implementations relying on RarLab's code are affected. There are multiple, popular implementations of unrar. If you want to make sure that you use a version that includes the security patch, we recommend downloading it directly from RarLab's website. The vulnerable and patched version can differ depending on the Linux distribution you use and from which repository the binaries were downloaded. Only the Unix binaries (excluding Android) are affected by this vulnerability. The official security patch by RarLab is contained in the UnRar source code version 6.1.7 and is included with the binaries of version 6.12. The only requirement for this attack is that unrar is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking. With this access, it is likely that they can escalate their access to even more sensitive, internal services of an organization. They can silently backdoor login functionalities and steal the credentials of an organization's users. In the case of Zimbra, successful exploitation gives an attacker access to every single email sent and received on a compromised email server. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system. We identified a File Write vulnerability(CVE-2022-30333) in the unrar binary developed by RarLab, the same company that develops WinRAR.Īn attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. Although this blog post focuses on Zimbra to demonstrate the impact of this bug, any software relying on an unpatched version of unrar to extract untrusted archives is affected. In this section we go into detail about which versions of unrar are affected. The vulnerability ultimately allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it. As a result, we discovered a 0-day vulnerability in the unrar utility, a 3rd party tool used in Zimbra. In this blog post, we present how our research team approached Zimbra by taking on the perspective of an APT group. Classified documents could be stolen, passwords reset, and members of an organization impersonated to compromise more accounts. The fact that a 0-day vulnerability was used to steal emails from individual user accounts shows how valuable a compromised email account is to an attacker and how disastrous the impact of such vulnerabilities is on an organization. Zimbra instances recently became a target of a 0-day attack campaign, likely conducted by a state actor who targeted European government and media instances. Zimbra is an enterprise-ready email solution used by over 200,000 businesses, government and financial institutions. By sharing our findings from this perspective, we also aim to provide useful insights and learnings to the community. To uncover and understand complex vulnerabilities in high-profile applications, our researchers need to take the perspective of real-world attackers. At Sonar, we are studying real-world vulnerabilities to improve our code analyzers, and to help the open-source community to secure their projects.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |