SB2022100803 - Arbitrary file overwrite in Amavis when used with cpio

Description

This security bulletin contains information about 1 security vulnerability.

1) Security features bypass (CVE-ID: CVE-2022-41352)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure fall-back by amavis to using cpio to extract files if the pax package is not installed on the system. The amavisd extracts the contents of compressed attachments for virus scanning and uses cpio in an insecure manner. A remote attacker can send a specially crafted archive to the email system that once extracted can overwrite arbitrary files on the system.

Note, the vulnerability was used in the wild against misconfigured Zimbra Collaboration (ZCS) installations.

Remediation

Install update from vendor's website.

References

• https://forums.zimbra.org/viewtopic.php?t=71153&p=306532
• https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/