Zimbra Email Servers Under Attack: CISA Flags CVE-2024-45519 as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Zimbra email servers, CVE-2024-45519, to its Known Exploited Vulnerabilities (KEV) catalog. This remote code execution (RCE) flaw, specifically targeting Zimbra’s postjournal service, has raised alarms in both government and critical infrastructure sectors, as attackers are actively exploiting it in the wild.

CVE-2024-45519 is a remote code execution vulnerability affecting Zimbra’s postjournal service, which plays a vital role in processing incoming emails over the Simple Mail Transfer Protocol (SMTP). The flaw allows attackers to exploit the system by sending specially crafted emails. Specifically, malicious commands embedded in the CC field of an email can be executed when Zimbra’s postjournal service processes the message, leading to arbitrary command execution on vulnerable servers.

The scope of this flaw is particularly concerning because it bypasses traditional security measures by using a seemingly harmless part of the email structure—the CC field. Attackers have already begun weaponizing this vulnerability, potentially leading to severe consequences for affected organizations, such as data breaches, system compromise, or unauthorized access.

A technical write-up from the security researchers at ProjectDiscovery last week shed light on the flaw’s mechanics and provided insights into the patch that Zimbra issued. The researchers reverse-engineered Zimbra’s patch and found that the vulnerable popen function, which handles user input, was replaced with a more secure function called execvp, incorporating an input sanitization mechanism to block malicious commands.

The research revealed that attackers could send SMTP commands directly to the postjournal service on port 10027, triggering arbitrary command execution if unpatched. In addition, the researchers published a proof-of-concept (PoC) exploit, which matched the attack patterns currently observed in real-world exploitation.

Reports of the first mass exploitation came from Ivan Kwiatkowski, a prominent threat researcher at HarfangLab, who identified widespread malicious activity targeting CVE-2024-45519. Shortly after, security experts at Proofpoint confirmed Kwiatkowski’s findings, detecting the attack one day after the PoC was released by ProjectDiscovery.

As of September 28, 2024, Proofpoint’s team has observed ongoing attacks utilizing this exploit, with CISA subsequently issuing a strong warning. The federal deadline for mitigation has been set for October 24, 2024, giving federal agencies and critical infrastructure organizations a tight window to either apply the patch or discontinue the use of Zimbra’s postjournal service.

Zimbra has promptly addressed the vulnerability in several versions:

• Zimbra 9.0.0 Patch 41 or later
• Zimbra 10.0.9 and 10.1.1
• Zimbra 8.8.15 Patch 46 or later

System administrators are strongly encouraged to apply these updates immediately. In addition to patching, the researchers at ProjectDiscovery have suggested two additional mitigations:

1. Disable the postjournal service if it is not essential to your organization’s operations.
2. Ensure the ‘mynetworks’ setting is correctly configured to block unauthorized access to the email server.

Administrators who neglect to implement these defenses may expose their systems to active exploitation, given the widespread use of Zimbra among businesses and organizations worldwide.

Related Posts:

• PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
• CVE-2023-41106: Zimbra Collaboration Suite Vulnerability Could Allow Unauthenticated Access
• CVE-2024-33533 to 33536: Zimbra Users at Risk of XSS and LFI Attacks
• New APT Exploits Zimbra Vulnerability to Target European Military and Diplomatic Entities