Zimbra RCE Vuln Under Attack Needs Immediate Patching


Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away.

The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Zimbra issued updates for affected versions last week but has not released any details of the flaw so far.

Attacks Began Sept. 28

Researchers at Proofpoint this week reported observing attacks targeting the flaw beginning on Sept. 28 and have continued unabated. In a series of posts on X, the security vendor described the attackers as sending spoofed emails that look like they are from Gmail to vulnerable Zimbra servers. The emails contain base64-encoded malicious code in the CC field instead of normal email addresses. This code is crafted to trick Zimbra into running it as shell commands, rather than processing it as a regular email address. This technique could potentially allow attackers to execute unauthorized commands on affected Zimbra servers, Proofpoint said.

“Some emails from the same sender used a series of CC’d addresses attempting to build a Web shell on a vulnerable Zimbra server,” Proofpoint said. “The full CC list is wrapped as a string, and if the base64 blobs are concatenated, they decode to a command to write a Web shell.”

The Web shell allows the attacker to remotely access the server via specially crafted HTTP requests and to modify files, access sensitive data, and execute other arbitrary commands. The attackers can use it to download and run malicious code on a vulnerable system, Proofpoint said. “Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field,” the vendor noted. “If present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection.”

Patch Yesterday

Ivan Kwiatkowski, a threat researcher at HarfangLab, said the malcious emails are coming from 79.124.49[.]86, which appears to be based in Bulgaria. “If you’re using @Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday.”

Notably, the threat actor is using the same server for sending the exploit emails and hosting the second-stage payload, which suggests a relatively immature operation, says Greg Lesnewich, threat researcher at Proofpoint. “It speaks to the fact that the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation,” Lesnewich says. “We would expect the email server and payload servers to be different entities in a more mature operation.”

Lesnewich says the volume of attacks has remained roughly the same since they began last week and appear to be more opportunistic in nature than targeted.

Input Sanitization Error

Researchers at the open source Project Discovery released a proof-of-concept for the vulnerability on Sept. 27. They identified the issue as stemming from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands. Zimbra’s patched versions of the software have addressed the issue and neutralized the ability for direct command injection, the researchers wrote. Even so, “it’s crucial for administrators to apply the latest patches promptly,” they noted. “Additionally, understanding and correctly configuring the mynetworks parameter is essential, as misconfigurations could expose the service to external exploitation.”

Thousands of companies and millions of users use Zimbra Collaboration Suite for email, calendaring, chat, and video services. Its popularity has made the technology a big target for attackers. Last year, for instance, researchers found as many as four Chinese advanced persistent threat actors leveraging a Zimbra zero-day (CVE-2023-37580) to target government agencies worldwide. Zimbra patched the flaw in July 2023 a month after the attacks began. Last February, researchers at W Labs spotted North Korea’s prolific Lazarus Group attempting to steal intelligence from organizations in the healthcare and energy sectors by targeted unpatched Zimbra servers.



Source link

#Zimbra #RCE #Vuln #Attack #Patching


Unlock the potential of cutting-edge AI solutions with our comprehensive offerings. As a leading provider in the AI landscape, we harness the power of artificial intelligence to revolutionize industries. From machine learning and data analytics to natural language processing and computer vision, our AI solutions are designed to enhance efficiency and drive innovation. Explore the limitless possibilities of AI-driven insights and automation that propel your business forward. With a commitment to staying at the forefront of the rapidly evolving AI market, we deliver tailored solutions that meet your specific needs. Join us on the forefront of technological advancement, and let AI redefine the way you operate and succeed in a competitive landscape. Embrace the future with AI excellence, where possibilities are limitless, and competition is surpassed.

Leave a Comment