A remote-code-execution (RCE) vulnerability affecting Zimbra Collaboration Suite (ZCS) email servers was exploited without valid administrative credentials, unlike previously believed.
The finding come from security researchers at Volexity, who detailed them in an advisory published on Wednesday.
While the RCE issue (tracked CVE-2022-27925) was patched by Zimbra in March 2022, in July and early August 2022 Volexity investigated several instances of victim organizations experiencing serious breaches to their ZCS email servers.
“Initial research into the vulnerability did not uncover any public exploit code, but since a patch had been available for several months, it was reasonable that exploit code could have been developed based on the description of the vulnerability,” read the advisory.
However, one thing that caught the security researchers’ attention was that, in addition to being remotely executable, the vulnerability description clearly stated its exploitation required valid administrator credentials.
“This added a significant level of difficulty for an attacker to successfully compromise a ZCS instance and made mass exploitation unlikely.”
Further investigation from Volexity then showed signs of remote exploitation but no evidence the attackers had the administrative rights needed to exploit it.
“Subsequent testing by Volexity determined it was possible to bypass authentication when accessing the same endpoint [...] used by CVE-2022-27925,” Volexity said. “This meant that [the flaw] could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.”
After disclosing the authentication bypass vulnerability (tracked CVE-2022-37042) to Zimbra, the company issued patches for it at the end of July.
Still, the Volexity investigation suggested the vulnerability was being mass exploited with the authentication bypass as early as the end of June 2022, and over 1000 ZCS instances around the world being backdoored and compromised.
“These ZCS instances belong to a variety of global organizations, including government departments and ministries; military branches; worldwide businesses with billions of dollars of revenue, etc.“
Volexity said that affected organizations also included a considerable number of small businesses unlikely to have dedicated IT staff to manage their mail servers, and therefore less prepared to effectively detect and remediate an incident.
In order to verify the presence of web shells on a ZCS instance, Volexity suggested companies compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations.
The company’s mail servers were also under the spotlight at the end of June when a flaw in RARlab’s UnRAR utility was discovered that could be exploited to steal emails from individual Zimbra mail user accounts.