Attackers are actively exploiting a zero-day leak in Zimbra Collaboration Suite to take over mail servers. A security update is not yet available, but a workaround is. Zimbra is a collaborative software suite that includes mail server software and a webmail client. The software is said to be used by more than 200,000 organizations worldwide.
Zimbra mail servers are regularly the target of attacks, the US government issued a warning in August to keep the software up to date. Zimbra uses antivirus software Amavis to scan archive files for malware. The problem now attacked occurs with Zimbra mail servers that use archiving tool cpio for checking the contents of archive files.
By sending a specially prepared archive file that is extracted by cpio, an attacker can write to any path on the filesystem that the Zimbra user has access to. In this way it is possible to install a web shell and run arbitrary code on the mail server. It has been known since 2015 that the use of cpio can be a security risk. Last month, Zimbra itself issued a warning and advice to replace cpio with archiving tool pax.
Pax is installed by default on Ubuntu. Ubnuntu-based installations of Zimbra are therefore not vulnerable. That is the case with Zimbra installations based on Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8 and CentOS 8, security company Rapid7 reports. According to the security company, switching to pax is the best option, as cpio is not safe to use because several operating systems have removed a security update for the issue with the archiving tool. Zimbra has indicated that it plans to remove the dependency on cpio and make pax the default.