CVE-2022-37393 The zimbra user can run zmslapd as root with arbitrary parameters.

When zimbra installs zmslapd, the installation process copies the zmslapd binary to /usr/bin, where it is owned by the zimbra user and group. The binary can be moved to a different location, or replaced with a different version. Sudo configuration allows the installation of arbitrary software. By default, sudo only permits the installation of software that is signed with a digital key. In most cases, a digital key is a single file that can be manually verified. However, some applications, like zmslapd, require more flexibility. Some applications may require root privileges in order to function. Sudo allows the specification of arbitrary user or group IDs and supplementary groups. When a user or group is specified, the installation process is run with that user's or group's permissions. Sudo does not verify the identity of the installation process or the integrity of the software being installed.

CVE-2022-37394

The mitigations described in CVE-2022-37394 are insufficient because no audit of the installation process is performed.
Mitigations that require the execution of installation scripts, or the verification of a digital signature or hash, would be sufficient to address this vulnerability.

Example sudo configuration file

# File: sudoers
root ALL=(ALL) ALL
%sudo ALL=(ALL) NOPASSWD: /usr/bin/zmslapd
%sudo ALL=(ALL) NOPASSWD: /usr/bin/zmslipd

zimbra: an email platform

Zimbra is an open-source email platform based on the Mozilla Thunderbird. It includes a collection of features to help speed up your email workflow.

zimbra: An email, calendar, and web app platform

Zimbra is a complete email, calendar, and web app platform for small and medium businesses. It comes with pre-installed plugins that allow you to integrate your business's existing software with Zimbra.
Zimbra can be installed through the package management system yum or the RPM repository. The installation process copies zmslapd to /usr/bin, where it is owned by the zimbra user and group. The binary can be moved or replaced with a different version. Sudo configuration allows the installation of arbitrary software. By default, sudo only permits the installation of software that is signed with a digital key. In most cases, a digital key is a single file that can be manually verified. However, some applications, like zmslapd, require more flexibility. Some applications may require root privileges in order to function. Sudo allows the specification of arbitrary user or group IDs and supplementary groups.

Timeline

Published on: 08/16/2022 20:15:00 UTC
Last modified on: 08/18/2022 17:12:00 UTC

References

• https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/
• https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis
• https://github.com/rapid7/metasploit-framework/pull/16807
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37393