Zimbra Postjournal Flaw

Cybersecurity researchers are warning about active exploitation attempts targeting a newly disclosed security flaw in Synacor's Zimbra Collaboration.

Enterprise security firm Proofpoint said it began observing the activity starting September 28, 2024. The attacks seek to exploit CVE-2024-45519, a severe security flaw in Zimbra's postjournal service that could enable unauthenticated attackers to execute arbitrary commands on affected installations.

"The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands," Proofpoint said in a series of posts on X. "The addresses contained Base64 strings that are executed with the sh utility."

Cybersecurity

The critical issue was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024. A security researcher named lebr0nli (Alan Li) has been credited with discovering and reporting the shortcoming.

"While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation," Ashish Kataria, a security architect engineer at Synacor, noted in a comment on September 19, 2024.

"For Zimbra systems where the postjournal feature is not enabled and the patch cannot be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied."

Zimbra Postjournal Flaw

Proofpoint said it identified a series of CC'd addresses, that when decoded, attempt to write a web shell on a vulnerable Zimbra server at the location: "/jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp."

The installed web shell subsequently listens for inbound connection with a pre-determined JSESSIONID Cookie field, and if present, it proceeds to parse the JACTION cookie for Base64 commands.

The web shell comes equipped with support for command execution via exec. Alternatively, it can also download and execute a file over a socket connection. The attacks have not been attributed to a known threat actor or group as of the time of this writing.

Cybersecurity

That said, exploitation activity appears to have commenced a day after Project Discovery released technical details of the flaw, which said it "stems from unsanitized user input being passed to popen in the unpatched version, enabling attackers to inject arbitrary commands."

The cybersecurity company said the problem is rooted in the manner the C-based postjournal binary handles and parses recipient email addresses in a function called "msg_handler()," thereby allowing command injection on the service running on port 10027 when passing a specially crafted SMTP message with a bogus address (e.g., "aabbb$(curl${IFS}oast.me)"@mail.domain.com).

In light of active exploitation attempts, users are strongly recommended to apply the latest patches for optimum protection against potential threats.

Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on October 3, 2024, added CVE-2024-45519 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by October 24, 2024.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.