October 2, 2024 at 02:31AM
A critical security flaw, CVE-2024-45519, has been actively exploited in Synacor’s Zimbra Collaboration. The flaw allows unauthenticated attackers to execute arbitrary commands. The issue was addressed in Zimbra versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1. Users are strongly advised to apply the latest patches for protection.
Key Takeaways from the Meeting Notes:
– Security researchers have discovered an active exploitation targeting a newly disclosed security flaw in Synacor’s Zimbra Collaboration, specifically CVE-2024-45519.
– The attacks seek to exploit the postjournal service vulnerability in Zimbra installations, allowing unauthenticated attackers to execute arbitrary commands.
– Proofpoint has observed the exploitation attempts, where emails spoofing Gmail are sent to bogus addresses in the CC fields, containing Base64 strings that are executed with the sh utility.
– Zimbra has released patches for versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 to address the critical security flaw.
– Security architect engineer Ashish Kataria recommends applying the patch immediately, or temporarily removing the postjournal binary for systems where the feature is not enabled.
– Proofpoint has identified a series of CC’d addresses attempting to write a web shell on vulnerable Zimbra servers, which subsequently listens for inbound connections and can execute commands or download and execute files.
– Project Discovery released technical details of the flaw, attributing it to unsanitized user input being passed to popen in the unpatched version, enabling attackers to inject arbitrary commands.
– The problem is rooted in the postjournal binary’s handling and parsing of recipient email addresses, allowing command injection when a specially crafted SMTP message is passed.
– Users are strongly recommended to apply the latest patches for protection against potential threats.
These key takeaways summarize the critical points from the meeting notes regarding the active exploitation attempts and the necessary security measures to address the vulnerability.