October 2, 2024 at 10:35AM
Hackers are exploiting a Zimbra email server vulnerability (CVE-2024-45519) by sending specially crafted emails to the SMTP server, allowing them to execute commands. Malicious activity was detected by Proofpoint and a proof-of-concept exploit was released, urging users to update to secure versions or take preventive measures as listed.
After reviewing the meeting notes, here are the key takeaways:
1. There is an actively exploited remote code execution (RCE) vulnerability in Zimbra email servers, tracked as CVE-2024-45519, that allows attackers to execute commands by sending specially crafted emails to the SMTP server.
2. The vulnerability exists in Zimbra’s postjournal service, which processes incoming emails over SMTP.
3. Malicious activity exploiting this vulnerability has been reported by multiple sources, including HarfangLab’s threat researcher Ivan Kwiatkowski and experts at Proofpoint.
4. Attackers are sending emails that spoof Gmail and contain fake email addresses and base64-encoded commands in the email’s “CC” field to exploit the vulnerability.
5. The malicious emails aim to install a webshell on the Zimbra server, which offers the attackers full access for data theft or further spreading into the internal network.
6. Researchers have published a proof-of-concept exploit for the vulnerability, and Zimbra has released security updates to address CVE-2024-45519 in specific versions of its software.
7. In addition to applying the available security updates, system administrators are advised to consider disabling the ‘postjournal’ service if not required and ensure that ‘mynetworks’ is correctly configured to prevent unauthorized access.
Overall, it is strongly recommended that impacted users upgrade to the new versions of Zimbra as soon as possible or apply the mitigation measures to protect their systems from this actively exploited vulnerability.