A severe remote code execution vulnerability affected the Zimbra email client. The bug typically existed in the UnRAR library that could trigger RCE on the Zimbra platform. Thankfully, the bug received a fix before malicious exploitation.
Zimbra UnRAR Library Vulnerability
Researchers from Sonar recently shared insights about a severe security flaw affecting the Zimbra email platform.
Specifically, the researchers found a zero-day vulnerability in a third-party UnRAR utility used in Zimbra that could trigger RCE. Exploiting the bug didn’t even require authentication. Describing the bug, CVE-2022-30333, the file write vulnerability in the RarLab’s
unrar binary, the researchers stated,
An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.
Although, the bug didn’t directly affect Zimbra. Nonetheless, exploiting it could let an attacker access the sent and received emails on the compromised email server. An adversary could also deploy backdoors on compromised servers, steal credentials and other data, and gain access to other unauthorized areas on the network. Such explicit access became possible due to the unhindered permissions to UnRar utility for Zimbra.
The researchers have shared the technical details of the vulnerability in their post.
Following this discovery, Sonar researchers reported the matter to RarLab, and “gave a heads-up” to Zimbra for an upcoming fix.
Eventually, RarLab patched the vulnerability with UnRar binary version 6.12. Hence, all UnRar utility users should get this patched version or later to receive the fix.
Besides, Zimbra also addressed the glitch by configuring 7z as default for extracting RAR archives by Amavis instead of UnRar.
Let us know your thoughts in the comments.