Security Update – make sure to install pax/spax

All Zimbra administrators should make sure the pax package is installed on their Zimbra server. Pax is needed by Amavis to extract the contents of compressed attachments for virus scanning.

If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot.

For most Ubuntu servers the pax package should already be installed as it is a dependency of Zimbra. Due to a packaging change in CentOS, there is a high chance pax is not installed.

You should validate and install pax on all your systems as follows:

Ubuntu
apt install pax

CentOS 7 and derivatives
yum install pax

CentOS 8 and derivatives
dnf install spax

Restart Zimbra using:
sudo su zimbra -
zmcontrol restart

This issue will also be addressed in the next Zimbra patch where we will make pax a requirement of Zimbra.

, ,

9 Responses to Security Update – make sure to install pax/spax

  1. Ari October 7, 2022 at 9:43 PM #

    hi Barry,

    what if the zimbra multiserver package is installed on all servers?

    • Avatar photo
      Barry de Graaff October 9, 2022 at 9:55 PM #

      yes do install it on all servers.

  2. Franz October 10, 2022 at 12:42 AM #

    Thank you for the information. Just about all of our instances (mainly CentOS) did not have pax installed. I have read that there have already been documented attacks to the CVE-2022-41352. Are there already ways to detect an infection?

  3. Franz October 12, 2022 at 3:13 AM #

    Thanks for the link to https://wiki.zimbra.com/wiki/Integrity_check. Comparing checksums of Zimbra files to make sure that no files have been tampered with by Zimbra is a good method. However, the check only makes sense if you have “previously” done dumps of the files’ checksums. If no dumps or filesystem backups of all Zimbra files were made, this checkup is useless, because no comparison can be made. Also with updates the checksums should change and thus lead to errors. It would be better if Zimbra maintained checksums, per version and distribution.
    For my use case, the provided check for compression of the system is not a practical solution to be sure that our system has not been changed, since I have no comparison values/comparison checksums.

    • Avatar photo
      Barry de Graaff October 12, 2022 at 4:12 AM #

      If you have no backup or snapshot of your system from an earlier date, then indeed the script cannot help you. We do intend to make changes to our repositories and packaging so that the checksum can be validated that way. Unfortunately that takes time and till then the script is best we can do.

    • Franz October 17, 2022 at 1:35 AM #

      Thank you for the answer. We only backup the user data and configuration but not the binaries of Zimbra. I like the approach of the script very much and it will help to verify the integrity of our zimbra instaces. I will put it in a routine check with a small monitoring alert. I am looking forward to further developments.

  4. Valeria October 14, 2022 at 12:48 AM #

    Barry,

    Many customers ask me if it is useful to disable amavis and use an external service? but I am not sure if this will protect them when processing internal (local) mails.

    • Avatar photo
      Barry de Graaff October 16, 2022 at 9:37 PM #

      It is a good strategy to consider, normally internal email will not be scanned by an external service, but likely internal threats can be mitigated better with end-point protection. Amavis probably will not catch all the newest threats.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures