Detections
Analytics

Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 33 / 9.0.0 < 9.0.0 Patch 26 Multiple Vulnerabilities

critical Nessus Plugin ID 164341

Language:

Synopsis

The remote web server contains a web application that is affected by multiple vulnerabilities.

Description

According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities, including the following:

 - An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting). (CVE-2022-37041)

 - Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. (CVE-2022-37042)

 - An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds. (CVE-2022-37043)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 8.8.15 Patch 33, 9.0.0 Patch 26, or later.

See Also

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://www.cisa.gov/uscert/ncas/alerts/aa22-228a

Plugin Details

Severity: Critical

ID: 164341

File Name: zimbra_9_0_0_p26.nasl

Version: 1.4

Type: combined

Agent: unix

Family: CGI abuses

Published: 8/23/2022

Updated: 2/17/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-2068

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-37042

Vulnerability Information

CPE: cpe:/a:zimbra:collaboration_suite

Required KB Items: installed_sw/zimbra_zcs

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/12/2022

Vulnerability Publication Date: 8/12/2022

CISA Known Exploited Vulnerability Due Dates: 9/1/2022

Exploitable With

Metasploit (Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925))

Reference Information

CVE: CVE-2022-2068, CVE-2022-24407, CVE-2022-37041, CVE-2022-37042, CVE-2022-37043