What is it?
Zimbra Collaboration Suite (ZCS) has the ability to import messages that contain ZIP archives and will automatically unarchive the contents.
An error in the software allows senders to bypass all authentication, install programs and run them.
The Packet Storm link below contains a more detailed description of how this vulnerability is exploited.
Why is it a risk?
An attacker can insert any program into a ZIP archive, send it to you ZCS server, install it anywhere on your server and then run it.
This is considered a CRITICAL vulnerability.
How can you mitigate the risk?
Upgrade your Zimbra installation to (at least) version ZCS 9.0.0 Patch 26.
There is a link below to the Zimbra Security Center which, in turn, links to the latest patches.
Resources:
Detailed Description: Packet Storm – Zimbra Zip Path Traversal
https://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html
Zimbra Security Center
https://wiki.zimbra.com/wiki/Security_Center
