Posted on June 30, 2022 at 7:15 AM

Hackers May Target Zimbra Webmail Servers Through UnRAR Zero-Days

A new vulnerability has been discovered in RARlab’s UnRAR utility. The flaw could enable a remote attacker to execute arbitrary codes on a binary-reliant system if successfully exploited.

The flaw, assigned CVE-2022-30333, is a path traversal vulnerability in the unRAR’s Unix versions. It can be launched when extracting a maliciously crafted RAR archive.

After the vulnerability was disclosed on May 4, 2022, the vendor addressed the issue. RarLab released an update as part of version 6.12 on May 6. Additionally, it released other versions of the software for Android and Windows operating systems, although these versions were not affected.

The Vulnerability Can Give Threat Actors Unauthorized Access

Researcher at SonarSource Simon Scannell stated that the threat actor can create files outside the extraction parameter when an application extracts an untrusted version. If the threat actor can write to a known location, they can take advantage in a way that can lead to the execution of arbitrary commands on the system.

It’s worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.

The Zimbra collaboration suite is not left out, as the bug can result in the pre-authentication of remote code execution. It can give the threat actor complete control of the email, allowing it to overwrite or abuse other internal resources within the organization’s network.

The flaw is connected to a symbolic link attack where a RAR archive can be designed containing a symlink. The symlink can be a combination of both forward and backward slashes, which can be used to circumvent current checks, extracting it outside of its expected directory.

The Vulnerability Allows Conversion To forward Slashes

The security researcher stated that the bug is connected to a function that converts backlashes to forward lashes. This allows a RAR archive created on Windows to be easily extracted on a nix system, changing the symlink to “../../../tmp/shell.”

Once a threat actor takes advantage of this behavior, they can write arbitrary files remotely on the target filesystem and execute malicious commands. This also includes overwriting the JSP shell in Zimbra’s web directory, which gives the hacker complete control over the system.

Scannell added that the attacker does not have to deal with several requirements. In this case, the only requirement is for the UnRAR to be installed on the server. This will likely occur since it’s required for RAR archive spam-checking and virus-scanning.

The vulnerability has been assigned a base score of 7.5 in the Common Vulnerability Scoring System (CVSS).

The Zimbra is an enterprise solution used by more than 200,000 businesses, financial institutions, and government establishments. The vendor released a warning about the vulnerability of the device following Sonar’s discovery of the bug. “We discovered a 0-day vulnerability in the UnRAR utility, a 3rd party tool used in Zimbra,” the document reads.

Zimbra Has Been Previously Linked To A Vulnerability

The fix to the vulnerability is coming almost a year after Zinbra was linked to a report from the UK and US governments that identified the company as a possible target of Russian spies.

The report revealed that the Russian cyber-spies are exploiting 11 flaws that date back to 2018 being used for initial access.

The joint report was released by the National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cyber Security Agency (NCSC).

The agencies updated readers on the activities of the Russian Foreign Intelligence Services, also regarded as The Dukes, Crazy Bear, and APT29. This group was singled out for the SolarWinds attack and other major attacks across US and UK organizations.

To evade being discovered and gain more impact, the SVR keeps changing its tactics in response to the previous reports the agencies have issued. This includes the exploit of widely reported Microsoft exchange server bugs.

The report listed 11 flaws in products from Zimbra, Oracle, Cisco, Fortnite, f5, Elasticsearch, Citrix, and Pulse Secure. These products are exploited by the SVR to gain unauthorized access to the target’s network.

In addition, the report warned that other products that are not listed could be targeted by the threat group. One of the modus operandi of the group is to exploit vulnerabilities that were recently disclosed publicly. These are more likely to enable initial access to their targets, the report noted.