Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

EVENT CALENDAR

Oct

Progathers CISO/CIO Roundtable Dinner, Chicago

Oct

October TRU Intelligence Briefing

Oct

CISO Strategy Meeting

Oct

FutureCon, San Diego

Oct

FutureCon, Boston

View Calendar →

LATEST PRESS RELEASE

Aug 09, 2024

eSentire Expands Partnership with TD SYNNEX to Bring eSentire’s Award-Winning, 24/7 MDR and SOC Services to Organizations Across North America

Waterloo, Ontario, August 12, 2024 — eSentire, a leading global Managed Detection and Response (MDR) provider, today announced it has expanded its partnership with TD SYNNEX, a leading global distributor and solutions aggregator for the IT ecosystem. eSentire’s all-in-one, 24/7…

View Newsroom →

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

A recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a vulnerability in the postjournal service which can allow unauthenticated users to execute commands. Attackers have been observed adding base64 encoded commands into the CC field of emails, allowing them to execute commands or retrieve files from an attacker-controlled domain.

According to a post by Proofpoint on October 1st, attackers began exploiting the vulnerability a day after disclosure. On the same day as the public disclosure, Project Discovery released a technical report providing details on the vulnerability, including Proof-of-Concept (PoC) exploit code. As stated in Project Discovery's report, successful exploitation can "lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality” making immediate patching critical.

What we’re doing about it

eSentire MDR for Network has detections in place to identify exploitation attempts
Known malicious IP addresses are blocked via the eSentire Global Block List
The eSentire Threat Intelligence team is actively performing threat hunts based on known Indicators of Compromise (IoCs)
The eSentire Threat Response Unit (TRU) is actively tracking this topic for additional details and detection opportunities
eSentires' Managed Vulnerability Service (MVS) will add the relevant plugins as they become available

What you should do about it

Organizations are highly recommended to apply the relevant security patches immediately
If patching is not immediately possible, consider:
- Verify that postjournal is disabled if not required
- Ensure that mynetworks is correctly configured to prevent unauthorized access

Additional information

Project Discovery's report states, the issue comes from the postjournal library in Zimbra, which can be attributed to inadequate user input sanitization. Attackers have been attempting to exploit the vulnerability by sending emails spoofing Gmail, sent to "bogus" addresses in the CC fields, in attempt to have the Zimbra server parse and execute them as commands. The examples provided in Proofpoints post on X show base64 strings in the CC field of an email which is executed with the sh utility.

No CVSS score has been released for CVE-2024-45519 at the time of writing. Based on publicly available details, the eSentire Threat Intelligence team considers this vulnerability to be of critical severity.

As the vulnerability is trivial to exploit, and PoC exploit code and technical details are publicly available, the eSentire Threat Intelligence team assesses with high confidence that attackers will continue to leverage the vulnerability.

According to Zimbra’s security advisory, the vulnerability was fixed in versions 9.0.0 Patch 41, 10.0.9, 10.1.1, and 8.8.15 Patch 46.

References:

[1] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
[2] https://blog.projectdiscovery.io/zimbra-remote-code-execution/
[3] https://x.com/threatinsight/status/1841089939905134793

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Exposure Management Services

ESENTIRE PLATFORM AND PEOPLE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

24/7 MDR SIGNALS

Network

Endpoint

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

MDR Pricing

From The Blog

AI May Be A Powerful Tool, But It’s No Substitute for Cyber Experts

Go Injector Leading to Stealers

eSentire recognized as CrowdStrike’s 2024 Global MSSP Partner of the Year…

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

Zimbra Vulnerability Exploited

PoC Exploit Code Released for Ivanti Vulnerability