Zimbra Vulnerability Exploited

THE THREAT

A recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a vulnerability in the postjournal service which can allow unauthenticated users to execute commands. Attackers have been observed adding base64 encoded commands into the CC field of emails, allowing them to execute commands or retrieve files from an attacker-controlled domain. 

According to a post by Proofpoint on October 1st, attackers began exploiting the vulnerability a day after disclosure. On the same day as the public disclosure, Project Discovery released a technical report providing details on the vulnerability, including Proof-of-Concept (PoC) exploit code. As stated in Project Discovery's report, successful exploitation can "lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality” making immediate patching critical. 

What we’re doing about it

• eSentire MDR for Network has detections in place to identify exploitation attempts 
• Known malicious IP addresses are blocked via the eSentire Global Block List 
• The eSentire Threat Intelligence team is actively performing threat hunts based on known Indicators of Compromise (IoCs) 
• The eSentire Threat Response Unit (TRU) is actively tracking this topic for additional details and detection opportunities 
• eSentires' Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices

What you should do about it

• Organizations are highly recommended to apply the relevant security patches immediately 
• If patching is not immediately possible, consider:
  • Verify that postjournal is disabled if not required
  • Ensure that mynetworks is correctly configured to prevent unauthorized access 

Additional information

Project Discovery's report states, the issue comes from the postjournal library in Zimbra, which can be attributed to inadequate user input sanitization. Attackers have been attempting to exploit the vulnerability by sending emails spoofing Gmail, sent to "bogus" addresses in the CC fields, in attempt to have the Zimbra server parse and execute them as commands. The examples provided in Proofpoints post on X show base64 strings in the CC field of an email which is executed with the sh utility. 

No CVSS score has been released for CVE-2024-45519 at the time of writing. Based on publicly available details, the eSentire Threat Intelligence team considers this vulnerability to be of critical severity.  

As the vulnerability is trivial to exploit, and PoC exploit code and technical details are publicly available, the eSentire Threat Intelligence team assesses with high confidence that attackers will continue to leverage the vulnerability. 

According to Zimbra’s security advisory, the vulnerability was fixed in versions 9.0.0 Patch 41, 10.0.9, 10.1.1, and 8.8.15 Patch 46.

References:

[1] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
[2] https://blog.projectdiscovery.io/zimbra-remote-code-execution/
[3] https://x.com/threatinsight/status/1841089939905134793