CVE-2022-41347 - OpenCVE

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Zimbra	Collaboration

Configuration 1 [-]

OR	cpe:2.3:a:zimbra:collaboration:8.8.15:-::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:-::::::

References

Link	Resource
https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/	Exploit Third Party Advisory
https://github.com/darrenmartyn/zimbra-hinginx	Third Party Advisory
https://wiki.zimbra.com/wiki/Security_Center	Patch Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-26T01:29:48

Updated: 2022-09-26T01:29:48

Reserved: 2022-09-26T00:00:00

Link: CVE-2022-41347

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-26T02:15:10.620

Modified: 2022-09-28T17:04:56.527

Link: CVE-2022-41347

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-26T01:29:48", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"tags": ["x_refsource_MISC"], "url": "https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/darrenmartyn/zimbra-hinginx"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-41347", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "refsource": "MISC", "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}, {"name": "https://wiki.zimbra.com/wiki/Security_Center", "refsource": "MISC", "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"name": "https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/", "refsource": "MISC", "url": "https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/"}, {"name": "https://github.com/darrenmartyn/zimbra-hinginx", "refsource": "MISC", "url": "https://github.com/darrenmartyn/zimbra-hinginx"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-41347", "datePublished": "2022-09-26T01:29:48", "dateReserved": "2022-09-26T00:00:00", "dateUpdated": "2022-09-26T01:29:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*", "matchCriteriaId": "1B17C1A7-0F0A-4E7C-8C0C-0BBB0BF66C82", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root."}, {"lang": "es", "value": "Se ha detectado un problema en Zimbra Collaboration (ZCS) versiones 8.8.x y 9.x (por ejemplo, 8.8.15). La configuraci\u00f3n Sudo permite al usuario zimbra ejecutar el binario NGINX como root con par\u00e1metros arbitrarios. Como parte de su funcionalidad prevista, NGINX puede cargar un archivo de configuraci\u00f3n definido por el usuario, que incluye plugins en forma de archivos .so, que tambi\u00e9n son ejecutados como root."}], "id": "CVE-2022-41347", "lastModified": "2022-09-28T17:04:56.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-26T02:15:10.620", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/darrenmartyn/zimbra-hinginx"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}