Security
Headlines
HeadlinesLatestCVEs

Headline

Zimbra RCE Vuln Under Attack Needs Immediate Patching

The bug gives attackers a way to run arbitrary code on affected servers and take control of them.

DARKReading
#vulnerability#web#js#intel#rce#perl#auth#zero_day

Source: Color4260 via Shutterstock

Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away.

The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Zimbra issued updates for affected versions last week but has not released any details of the flaw so far.

Attacks Began Sept. 28

Researchers at Proofpoint this week reported observing attacks targeting the flaw beginning on Sept. 28 and have continued unabated. In a series of posts on X, the security vendor described the attackers as sending spoofed emails that look like they are from Gmail to vulnerable Zimbra servers. The emails contain base64-encoded malicious code in the CC field instead of normal email addresses. This code is crafted to trick Zimbra into running it as shell commands, rather than processing it as a regular email address. This technique could potentially allow attackers to execute unauthorized commands on affected Zimbra servers, Proofpoint said.

“Some emails from the same sender used a series of CC’d addresses attempting to build a Web shell on a vulnerable Zimbra server,” Proofpoint said. “The full CC list is wrapped as a string, and if the base64 blobs are concatenated, they decode to a command to write a Web shell.”

The Web shell allows the attacker to remotely access the server via specially crafted HTTP requests and to modify files, access sensitive data, and execute other arbitrary commands. The attackers can use it to download and run malicious code on a vulnerable system, Proofpoint said. “Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field,” the vendor noted. “If present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection.”

Patch Yesterday

Ivan Kwiatkowski, a threat researcher at HarfangLab, said the malcious emails are coming from 79.124.49[.]86, which appears to be based in Bulgaria. “If you’re using @Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday.”

Notably, the threat actor is using the same server for sending the exploit emails and hosting the second-stage payload, which suggests a relatively immature operation, says Greg Lesnewich, threat researcher at Proofpoint. “It speaks to the fact that the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation,” Lesnewich says. “We would expect the email server and payload servers to be different entities in a more mature operation.”

Lesnewich says the volume of attacks has remained roughly the same since they began last week and appear to be more opportunistic in nature than targeted.

Input Sanitization Error

Researchers at the open source Project Discovery released a proof-of-concept for the vulnerability on Sept. 27. They identified the issue as stemming from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands. Zimbra’s patched versions of the software have addressed the issue and neutralized the ability for direct command injection, the researchers wrote. Even so, “it’s crucial for administrators to apply the latest patches promptly,” they noted. “Additionally, understanding and correctly configuring the mynetworks parameter is essential, as misconfigurations could expose the service to external exploitation.”

Thousands of companies and millions of users use Zimbra Collaboration Suite for email, calendaring, chat, and video services. Its popularity has made the technology a big target for attackers. Last year, for instance, researchers found as many as four Chinese advanced persistent threat actors leveraging a Zimbra zero-day (CVE-2023-37580) to target government agencies worldwide. Zimbra patched the flaw in July 2023 a month after the attacks began. Last February, researchers at W Labs spotted North Korea’s prolific Lazarus Group attempting to steal intelligence from organizations in the healthcare and energy sectors by targeted unpatched Zimbra servers.

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.

Related news

Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw

Cybersecurity researchers are warning about active exploitation attempts targeting a newly disclosed security flaw in Synacor's Zimbra Collaboration. Enterprise security firm Proofpoint said it began observing the activity starting September 28, 2024. The attacks seek to exploit CVE-2024-45519, a severe security flaw in Zimbra's postjournal service that could enable unauthenticated attackers to

Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups

A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. "Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG) said in a report shared with The Hacker News. The flaw, tracked as CVE-2023-37580 (CVSS score:

DARKReading: Latest News

Cross-Site Scripting Is 2024's Most Dangerous Software Weakness