Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519)
Attackers are actively exploiting CVE-2024-45519, a critical Zimbra vulnerability that allows them to execute arbitrary commands on vulnerable installations.
Proofpoint’s threat researchers say that the attacks started on September 28 – several weeks after Zimbra developers released patches for CVE-2024-45519 and other flaws, and a day after ProjectDiscovery’s analysts published a detailed technical write-up about the vulnerability and a PoC exploit to demonstrate the potential for local exploitation. Other researchers have published PoCs on GitHub soon after.
About CVE-2024-45519
Zimbra Collaboration (by Synacor) is a widely used cloud-hosted collaboration software and email platform, with an email server and a web client component (for document sharing, chat, and videoconferencing).
CVE-2024-45519 is an OS command injection vulnerability in the solution’s postjournal service (and binary), which is used for recording email communications for compliance and/or archiving. Exploitation of the flaw is possible without authentication.
“The vulnerability stems from unsanitized user input being passed to popen [function] in the unpatched version [of the postjournal binary], enabling attackers to inject arbitrary commands,” ProjectDiscovery’s analysts explained.
“While the patched version introduces input sanitization and replaces popen with execvp, mitigating direct command injection, it’s crucial for administrators to apply the latest patches promptly. Additionally, understanding and correctly configuring the mynetworks parameter is essential, as misconfigurations could expose the service to external exploitation.”
“While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation,” a Synacor security architect and engineer confirmed when patches for several Zimbra versions were provided in early September.
“For Zimbra systems where the postjournal feature is not enabled and the patch cannot be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied.”
Zimbra: A popular target
According to Proofpoint, by sending specially crafted emails, the attackers are trying to install a webshell that would allow them to execute commands or download and execute files over a socket connection.
“For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads. The activity is unattributed at this time,” they added.
Zimbra zero-day and n-day vulnerabilities are often exploited by attackers, usually by state-sponsored hacker groups (since Zimbra is used by government agencies as well as companies), but also by ransomware gangs (e.g., MalasLocker).
Organizations that haven’t implemented the latest patch are advised to do so immediately.