High, medium severity vulnerabilities impacting Zimbra Collaboration Suite

Threat actors are actively exploiting multiple Common Vulnerabilities and Exposures (CVEs) against enterprise cloud-hosted collaboration software and email platform Zimbra Collaboration Suite (ZCS), according to an advisory update jointly issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The latest update lists CVEs currently being exploited based on a new Malware Analysis Report, MAR-10398871.r1.v2 and warns that threat actors may be targeting unpatched ZCS instances in both government and private sector networks.

Vulnerabilities can allow credential and session cookie file theft, arbitrary file uploads

The CVEs listed in the CSA include both high- and medium-severity vulnerabilities:

• CVE-2022-27924: A high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. An actor could then steal ZCS email account credentials in cleartext form without any user interaction.
• CVE-2022-27925 (chained with CVE-2022-37042): A high-severity vulnerability in ZCS releases 8.8.15 and 9.0 that have mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user has the ability to upload arbitrary files to the system thereby leading to directory traversal.
• CVE-2022-30333: A high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor could exploit it against a ZCS server by sending an email with a malicious RAR file.
• CVE-2022-24682: A medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files.

In the new malware analysis report, the CSA stated that CISA received a benign 32-bit Windows executable file, a malicious dynamic-link library (DLL), and an encrypted file for analysis from an organization where cyber actors exploited the vulnerabilities above. “The executable file is designed to side-load the malicious DLL file,” it read. “The DLL is designed to load and Exclusive OR (XOR) decrypt the encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to execute on the compromised system.”

Organizations urged to assume compromise, hunt for malicious activity

CISA and the MS-ISAC urged users and administrators to apply mitigations to help secure their organization’s systems against malicious cyber activity. It also encouraged businesses who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity.

The CSA recommends organizations upgrade to the latest ZCS releases as noted on Zimbra Security – News & Alerts and Zimbra Security Advisories. It also advised the following best practices to reduce the risk of compromise:

• Maintain and test an incident response plan.
• Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities.
• Properly configure and secure internet-facing network devices to avoid exposing management interfaces to the internet, disable unused or unnecessary network ports and protocols, and disable/remove unused network services and devices.
• Adopt zero-trust principles and architecture, including micro-segmenting networks and functions, phishing-resistant multi-factor authentication (MFA) for all users and virtual private network (VPN) connections, and restriction of access to trusted devices and users on the networks.

Organizations that detect compromise/potential compromise should apply the following steps, the advisory continued:

• Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
• Quarantine or take offline potentially affected hosts.
• Reimage compromised hosts.
• Provision new account credentials.
• Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov). SLTT government entities can also report to the MS-ISAC (SOC@cisecurity.org).

Speaking to CSO, Omdia Senior Principal Analyst Fernando Montenegro says the updated guidance will help overloaded security teams prioritize certain patches over others. “Still, patching is a Sisyphean task, and it’s never as simple as it appears, particularly when talking about applications that may interrupt the flow of day-to-day business.” Organizations looking to secure against the threats must have visibility into the actual traffic that is reaching the applications, he adds. “Intrusion detection signatures are written based on the HTTP requests, so layer 7-type visibility is key. The tools alone are not sufficient, of course: we recommend that organizations have a broader threat detection, investigation, and response (TDIR) capability in place – either in-house or using partners – that can monitor things on a continuous basis and respond as needed.”