October 2, 2024 at 10:20AM
Cyber attackers are exploiting a Zimbra email server vulnerability (CVE-2024-45519) using specially crafted emails to trigger remote code execution. Proofpoint detected this “mass-exploitation,” as malicious emails spoofing Gmail deploy fake addresses and harmful code in the CC field. Installation of the webshell via the exploit provides full access to the compromised server, urging immediate action.
After reviewing the meeting notes, key takeaways are:
1. Hackers are actively exploiting a remote code execution vulnerability (CVE-2024-45519) in Zimbra email servers by sending specially crafted emails to the SMTP server.
2. The vulnerability exists in Zimbra’s postjournal service, allowing attackers to execute commands in the “CC” field of specially crafted emails.
3. Malicious emails are spoofing Gmail and containing fake email addresses with malicious code in the “CC” field. If the Zimbra email server parses the commands in the “CC” field correctly, it executes them on the server.
4. The emails contain base64-encoded strings that execute commands via the ‘sh’ shell, leading to the installation of a webshell on the Zimbra server.
5. The installed webshell on the compromised Zimbra server allows for data theft and further access to the internal network.
6. ProjectDiscovery researchers published a technical write-up and a proof-of-concept exploit for CVE-2024-45519, including a working Python script, and advised system administrators to apply available security updates, turn off ‘postjournal’ if not required, and ensure proper ‘mynetworks’ configuration to prevent unauthorized access.
7. Zimbra has released security updates resolving CVE-2024-45519 in specific versions, and impacted users are strongly recommended to move to the new versions or apply the provided mitigation measures as soon as possible.
It is crucial for affected users to take immediate action to protect their Zimbra email servers from this active exploitation.