Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 31 / 9.0.0 < 9.0.0 Patch 24 Multiple Vulnerabilities

critical Nessus Plugin ID 163072

Synopsis

The remote web server contains a web application that is affected by a vulnerability.

Description

According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities, including the following:

- A vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. (CVE-2022-27924)

- Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. (CVE-2022-27925)

- A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

- ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 8.8.15 Patch 31, 9.0.0 Patch 24, or later.

See Also

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Plugin Details

Severity: Critical

ID: 163072

File Name: zimbra_9_0_0_p24.nasl

Version: 1.7

Type: combined

Agent: unix

Family: CGI abuses

Published: 7/13/2022

Updated: 8/24/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2021-39275

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zimbra:collaboration_suite

Required KB Items: installed_sw/zimbra_zcs

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/20/2022

Vulnerability Publication Date: 4/20/2022

CISA Known Exploited Dates: 12/15/2021, 8/25/2022, 9/1/2022

Exploitable With

Metasploit (Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925))

Reference Information

CVE: CVE-2021-21702, CVE-2021-39275, CVE-2021-40438, CVE-2022-27924, CVE-2022-27925, CVE-2022-27926

IAVA: 2022-A-0268