Ethical Hacking News
Recently disclosed RCE vulnerability in Zimbra email servers has been actively exploited through phishing emails, allowing hackers to gain unauthorized access. Upgrading to newer versions or applying mitigating steps are recommended to prevent further exploitation.
The recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra email servers has been actively exploited by hackers, allowing unauthorized access through emails. The attackers use spoofed Gmail addresses, fake email addresses, and malicious code in the CC field to trick the postjournal service into parsing commands. The attackers deploy a webshell on the compromised server using base-64 encoded strings, which allows them to steal sensitive data or execute other attacks. A patch is available for versions of Zimbra that have resolved the vulnerability (versions 9.0.0 Patch 41 or later, etc.), and mitigating steps can be taken.
The IT community is currently reeling from the news that a recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra email servers has been actively exploited by hackers, allowing them to gain unauthorized access to these servers through emails. The exploit, tracked as CVE-2024-45519, exists within Zimbra's postjournal service, which is responsible for parsing incoming emails over SMTP.
According to recent reports from security experts such as Proofpoint and researchers at Project Discovery, the malicious activity began on September 28th, just one day after the proof-of-concept exploit was released. The attackers have been sending emails that spoof Gmail addresses, contain fake email addresses, and include malicious code in the CC field. When properly crafted, these emails trick Zimbra's postjournal service into parsing commands in the CC field, which are then executed on the server.
In this particular attack vector, specific base-64 encoded strings are used within the CC field. These strings are utilized via the 'sh' shell to create and deploy a webshell on the compromised Zimbra server. The webshell functions as an entry point for the attackers, who can subsequently access the server using a JSESSIONID cookie field or by exploiting another cookie (JACTION) that contains base-64 encoded commands.
Once installed, this malicious webshell offers full control over the compromised server to the attackers. It allows them to steal sensitive data, further spread into internal networks, or execute other attacks on the server itself.
Project Discovery researchers published a technical write-up and included a proof-of-concept (PoC) exploit for CVE-2024-45519. The researchers analyzed Zimbra's patching process and discovered that it includes an input sanitization mechanism in a new function named 'execvp,' which replaces the compromised 'popen' function. Working backward from this, they were able to reverse-engineer Zimbra's patch and develop a working exploit in Python script form.
Apart from upgrading to newer versions of Zimbra that have resolved the vulnerability (versions 9.0.0 Patch 41 or later, versions 10.0.9 and 10.1.1, and Zimbra 8.8.15 Patch 46 or later), system administrators can also take mitigating steps such as turning off 'postjournal' if it is not needed for operations and configuring 'mynetworks' to prevent unauthorized access.
Given the active exploitation status of this vulnerability, affected users are strongly recommended to update their systems to newer versions of Zimbra immediately or apply the mitigation measures listed above without delay.
Related Information:
https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/
https://arstechnica.com/security/2024/10/attackers-exploit-critical-vulnerability-recently-patched-in-zimbra-servers/
https://nvd.nist.gov/vuln/detail/CVE-2024-45519
https://www.cvedetails.com/cve/CVE-2024-45519/
Published: Thu Oct 3 00:04:43 2024 by llama3.2 3B Q4_K_M
