Zimbra Email Servers Under Attack: Active Exploitation of Critical RCE Flaw

October 2, 2024

Hackers have found a way to exploit a recently revealed remote code execution (RCE) vulnerability in Zimbra email servers. The vulnerability, known as CVE-2024-45519, is present in Zimbra's postjournal service, a component that processes incoming emails over SMTP. The exploitation of this flaw is as simple as sending an email with specific commands embedded in the CC field. When the postjournal service processes the email, these commands are executed. This malicious activity was first detected by Ivan Kwiatkowski, a threat researcher at HarfangLab, who described it as 'mass-exploitation.'

The malicious activity was also confirmed by specialists at Proofpoint, who detected it on September 28, one day after a proof-of-concept exploit was released by researchers at Project Discovery. The attackers are reportedly sending emails that mimic Gmail and contain fake email addresses and malicious code in the email's 'CC' field. If composed correctly, the Zimbra email server will execute the commands embedded in the CC field on the server.

Notably, the emails contain base-64 encoded strings that are executed via the 'sh' shell to create and drop a webshell on the Zimbra server. Once the webshell is in place, it waits for inbound connections with a specific JSESSIONID cookie field. If the correct cookie is detected, the webshell processes another cookie (JACTION) containing base64-encoded commands to execute. The webshell also enables the downloading and executing of files on the compromised server. Once installed, the webshell provides the attacker with complete access to the compromised Zimbra server for data theft or further penetration into the internal network.

Last week, ProjectDiscovery researchers published a technical write-up on CVE-2024-45519, including a proof-of-concept exploit that matches what is currently seen in the wild. The researchers reverse-engineered Zimbra's patch to discover that the 'popen' function, which receives user input, has been replaced with a new function named 'execvp,' featuring an input sanitization mechanism. They found that it's possible to send SMTP commands to Zimbra's postjournal service on port 10027, resulting in arbitrary command execution. The working exploit was also published in a 'ready-to-use' Python script form on GitHub.

To mitigate this threat, researchers suggest system administrators apply the available security updates, turn off 'postjournal' if it's not necessary for their operations, and ensure that 'mynetworks' is correctly configured to prevent unauthorized access. According to Zimbra's security bulletin, CVE-2024-45519 has been resolved in version 9.0.0 Patch 41 or later, versions 10.0.9 and 10.1.1, and Zimbra 8.8.15 Patch 46 or later. Given the active exploitation status of the vulnerability, users are strongly encouraged to upgrade to the new versions as soon as possible or at least apply the suggested mitigation measures.

Latest News

• Critical Security Flaws Detected in Optigo Networks ONS-S8 Aggregation Switch
• Critical Vulnerabilities in Tank Gauge Systems Could Lead to Remote Attacks
• Critical Vulnerability in NVIDIA Container Toolkit Allows Complete Host System Control
• Storm-0501 Ransomware Threat Actor Expands Attacks to Hybrid Cloud Environments
• Critical Unpatched Vulnerabilities in CUPS Open-Source Printing System Risk Linux Systems