Ethical Hacking News
A newly disclosed security flaw in Synacor's Zimbra Collaboration has been found to enable unauthenticated attackers to execute arbitrary commands on affected installations, posing a significant threat to enterprise users. Researchers have identified active exploitation attempts targeting the CVE-2024-45519 vulnerability, which must be patched immediately to prevent potential exploitation.
Cybersecurity researchers have identified active exploitation attempts targeting a newly disclosed security flaw in Synacor's Zimbra Collaboration, designated as CVE-2024-45519. The vulnerability has been found to enable unauthenticated attackers to execute arbitrary commands on affected installations, posing a significant threat to enterprise users.
Active exploitation attempts have been detected targeting Synacor's Zimbra Collaboration due to a newly disclosed security flaw (CVE-2024-45519).The vulnerability enables unauthenticated attackers to execute arbitrary commands on affected installations.The issue was first reported by Proofpoint, with observed activity starting September 28, 2024.The critical issue lies in the handling and parsing of recipient email addresses in the postjournal service.Patches were released by Zimbra on September 4, 2024, to address the vulnerability.Users are strongly recommended to apply the latest patches for optimum protection against potential threats.
In a concerning turn of events, cybersecurity researchers have identified active exploitation attempts targeting a newly disclosed security flaw in Synacor's Zimbra Collaboration. The vulnerability, designated as CVE-2024-45519, has been found to enable unauthenticated attackers to execute arbitrary commands on affected installations, posing a significant threat to enterprise users.
The discovery of this critical issue was first reported by Proofpoint, an enterprise security firm that began observing the activity starting September 28, 2024. According to Proofpoint, the attacks seek to exploit the Zimbra postjournal service, which can be used to inject arbitrary commands and execute malicious code on vulnerable servers.
The root cause of this issue lies in the manner the C-based postjournal binary handles and parses recipient email addresses in a function called "msg_handler," thereby allowing command injection on the service running on port 10027 when passing a specially crafted SMTP message with a bogus address. This security flaw stems from unsanitized user input being passed to popen in the unpatched version, enabling attackers to inject arbitrary commands.
In light of active exploitation attempts, users are strongly recommended to apply the latest patches for optimum protection against potential threats. The critical issue was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024.
To mitigate this risk, organizations are advised to ensure that all affected installations are patched with the latest updates as soon as possible. Additionally, users can consider removing the postjournal binary as a temporary measure until the patch can be applied.
Ashish Kataria, a security architect engineer at Synacor, noted in a comment on September 19, 2024, "While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation." He further emphasized that for Zimbra systems where the postjournal feature is not enabled and the patch cannot be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied.
The attacks have been identified using Proofpoint's threat intelligence capabilities, which have tracked a series of CC'd addresses that attempt to write a web shell on vulnerable Zimbra servers at the location: "/jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp." The installed web shell subsequently listens for inbound connection with a pre-determined JSESSIONID Cookie field and, if present, it proceeds to parse the JACTION cookie for Base64 commands.
The web shell comes equipped with support for command execution via exec. Alternatively, it can also download and execute a file over a socket connection. The attacks have not been attributed to a known threat actor or group as of the time of this writing.
This critical security flaw highlights the importance of staying vigilant and applying patches in a timely manner to protect against emerging threats. As cybersecurity researchers continue to monitor the situation, users are urged to prioritize patching their systems and taking proactive measures to prevent potential exploitation of this vulnerability.
Related Information:
https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html
https://arstechnica.com/information-technology/2024/10/attackers-exploit-critical-vulnerability-recently-patched-in-zimbra-servers/
https://nvd.nist.gov/vuln/detail/CVE-2024-45519
https://www.cvedetails.com/cve/CVE-2024-45519/
Published: Fri Oct 4 16:36:33 2024 by llama3.2 3B Q4_K_M
