Zimbra RCE Vuln Under Attack Needs Immediate Patching

  /     /     /  
Publicated : 23/11/2024   Category : security


Zimbra RCE Vuln Under Attack Needs Immediate Patching


The bug gives attackers a way to run arbitrary code on affected servers and take control of them.



Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away.
The bug, identified as
CVE-2024-45519
, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it.
Zimbra issued updates
for affected versions last week but has not released any details of the flaw so far.
Researchers at Proofpoint this week reported observing attacks targeting the flaw beginning on Sept. 28 and have continued unabated. In a
series of posts on X
, the security vendor described the attackers as sending spoofed emails that look like they are from Gmail to vulnerable Zimbra servers. The emails contain base64-encoded malicious code in the CC field instead of normal email addresses. This code is crafted to trick Zimbra into running it as shell commands, rather than processing it as a regular email address. This technique could potentially allow attackers to execute unauthorized commands on affected Zimbra servers, Proofpoint said.
Some emails from the same sender used a series of CCd addresses attempting to build a Web shell on a vulnerable Zimbra server, Proofpoint said. The full CC list is wrapped as a string, and if the base64 blobs are concatenated, they decode to a command to write a Web shell.
The Web shell allows the attacker to remotely access the server via specially crafted HTTP requests and to modify files, access sensitive data, and execute other arbitrary commands. The attackers can use it to download and run malicious code on a vulnerable system, Proofpoint said. Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field, the vendor noted. If present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection.
Ivan Kwiatkowski, a threat researcher at HarfangLab, said the malcious emails are coming from 79.124.49[.]86, which appears to be based in Bulgaria. If youre using
@Zimbra
, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday.
Notably, the threat actor is using the same server for sending the exploit emails and hosting the second-stage payload, which suggests a relatively immature operation, says Greg Lesnewich, threat researcher at Proofpoint. It speaks to the fact that the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation, Lesnewich says. We would expect the email server and payload servers to be different entities in a more mature operation.
Lesnewich says the volume of attacks has remained roughly the same since they began last week and appear to be more opportunistic in nature than targeted.
Researchers at the open source Project Discovery released a proof-of-concept for the vulnerability on Sept. 27. They
identified the issue
as stemming from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands. Zimbras patched versions of the software have addressed the issue and neutralized the ability for direct command injection, the researchers wrote. Even so, its crucial for administrators to apply the latest patches promptly, they noted. Additionally, understanding and correctly configuring the mynetworks parameter is essential, as misconfigurations could expose the service to external exploitation.
Thousands of companies and millions of users use Zimbra Collaboration Suite for email, calendaring, chat, and video services. Its popularity has made the technology a big target for attackers. Last year, for instance, researchers found as many as four Chinese advanced persistent threat actors leveraging a Zimbra zero-day (
CVE-2023-37580
) to target government agencies worldwide. Zimbra patched the flaw in July 2023 a month after the attacks began. Last February, researchers at W Labs spotted North Koreas prolific Lazarus Group
attempting to steal intelligence
from organizations in the healthcare and energy sectors by targeted unpatched Zimbra servers.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zimbra RCE Vuln Under Attack Needs Immediate Patching