Cybersecurity researchers have raised alarms about active exploitation of a recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra, a popular open-source email and collaboration platform. The vulnerability, tracked as CVE-2024-45519, poses a significant threat due to its simplicity of exploitation through specially crafted emails sent to SMTP servers.
Understanding the Vulnerability
The CVE-2024-45519 vulnerability affects the Zimbra postjournal service, which is responsible for parsing incoming SMTP emails. Attackers can exploit this flaw by sending specially formatted emails with malicious commands in the CC field. These commands are executed when the postjournal processes the email, potentially giving attackers unauthorized access to the server.
Exploitation in the Wild
Security experts from HarfangLab and Proofpoint have reported observing “mass exploitation” of this vulnerability. The attacks were first detected on September 28, 2024, just a day after Project Discovery researchers published a detailed analysis and a proof-of-concept (PoC) exploit.
Attack Methodology
Attackers are sending malicious emails disguised as Gmail notifications, containing fake email addresses and malicious code in the CC field. When properly crafted, these emails can trick the Zimbra mail server into executing the commands embedded in the CC field.
The malicious payloads typically include base64-encoded strings that, when executed, create and deploy a web shell on the Zimbra server. This web shell then listens for incoming connections with a specific JSESSIONID cookie and can parse commands from another cookie (JACTION) to execute on the compromised server.
Implications and Risks
Once established, the web shell provides attackers with full access to the compromised Zimbra server. This access can be leveraged for data theft and further lateral movement within the victim organization’s network, potentially leading to widespread compromise.
Mitigation and Prevention
Zimbra has addressed the CVE-2024-45519 vulnerability in the following versions:
- Version 9.0.0 Patch 41 or later
- Versions 10.0.9 and 10.1.1
- Zimbra 8.8.15 Patch 46 or later
Cybersecurity experts strongly advise system administrators to take the following actions:
- Apply the latest security patches immediately to vulnerable Zimbra installations.
- Disable the postjournal service if it’s not essential for operations.
- Review and configure the mynetworks setting to prevent unauthorized access.
Technical Details of the Vulnerability
Researchers at ProjectDiscovery conducted a reverse engineering of the Zimbra patch and found that the vulnerable popen function, which accepts user input, was replaced with a new execvp function featuring a dedicated input sanitization mechanism. However, they discovered that it was still possible to send SMTP commands to the Zimbra postjournal service on port 10027, resulting in arbitrary command execution.
The cybersecurity community emphasizes the critical nature of this vulnerability and the importance of swift action. Organizations using Zimbra should prioritize patching and implementing additional security measures to protect their email infrastructure from this active threat. Continuous monitoring and staying informed about emerging vulnerabilities remain crucial in maintaining a robust cybersecurity posture.