Enlarge (credit: Jeremy Brooks / Flickr)
An unpatched code-execution vulnerability in the Zimbra Collaboration software is under active exploitation by attackers using the attacks to backdoor servers.
The attacks began no later than September 7, when a Zimbra customer reported a few days later that a server running the company’s Amavis spam-filtering engine processed an email containing a malicious attachment. Within seconds, the scanner copied a malicious Java file to the server and then executed it. With that, the attackers had installed a web shell, which they could then use to log into and take control of the server.
Zimbra has yet to release a patch fixing the vulnerability. Instead, the company published this guidance that advises customers to ensure a file archiver known as pax is installed. Unless pax is installed, Amavis processes incoming attachments with cpio, an alternate archiver that has known vulnerabilities that were never fixed.