Cybersecurity researchers are warning about active exploitation attempts targeting a newly disclosed security flaw in Synacor’s Zimbra Collaboration.
Enterprise security firm Proofpoint said it began observing the activity starting September 28, 2024. The attacks seek to exploit CVE-2024-45519, a severe security flaw in its postjournal service that could enable unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.
“The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands,” Proofpoint said in a series of posts on X. “The addresses contained Base64 strings that are executed with the sh utility.”
The critical issue was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024. A security researcher named lebr0nli (Alan Li) has been credited with discovering and reporting the shortcomings.
“While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation,” Ashish Kataria, a security architect engineer at Synacor, noted in a comment on September 19, 2024.
“For Zimbra systems where the postjournal feature is not enabled and the patch cannot be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied.”
Proofpoint said it identified a series of CC’d addresses, that when decoded, attempt to write a web shell on a vulnerable Zimbra server at the location: “/jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.”
The installed web shell subsequently listens for inbound connection with a pre-determined JSESSIONID Cookie field, and if present, it proceeds to parse the JACTION cookie for Base64 commands.
The web shell comes equipped with support for command execution via exec. Alternatively, it can also download and execute a file over a socket connection. The attacks have not been attributed to a known threat actor or group as of the time of this writing.
That said, exploitation activity appears to have commenced a day after Project Discovery released technical details of the flaw, which said it “stems from unsanitized user input being passed to popen in the unpatched version, enabling attackers to inject arbitrary commands.”
The cybersecurity company the problem is rooted in the manner the C-based postjournal binary handles and parses recipient email addresses in a function called “msg_handler(),” thereby allowing command injection on the service running on port 10027 when passing a specially crafted SMTP message with a bogus address (e.g., “aabbb$(curl${IFS}oast.me)”@mail.domain.com).
In light of active exploitation attempts, users are strongly recommended to apply the latest patches for optimum protection against potential threats.