Security features bypass in AMaViS - CVE-2022-41352
Published: October 8, 2022 / Updated: November 13, 2022
Vulnerability identifier: #VU68041
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2022-41352
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Amavis.org
Affected software:
AMaViS
AMaViS
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure fall-back by amavis to using cpio to extract files if the pax package is not installed on the system. The amavisd extracts the contents of compressed attachments for virus scanning and uses cpio in an insecure manner. A remote attacker can send a specially crafted archive to the email system that once extracted can overwrite arbitrary files on the system.
Note, the vulnerability was used in the wild against misconfigured Zimbra Collaboration (ZCS) installations.
How to mitigate CVE-2022-41352
It is recommended to replace cpio with pax on the system.