Critical Zimbra RCE Exploitation Event

The vulnerability can be triggered by sending emails with commands embedded in the CC field, which the Zimbra server processes, leading to arbitrary command execution. These emails often spoof legitimate sources, such as Gmail, and contain base64-encoded strings that establish a webshell on the server. Once installed, this webshell can listen for specific cookies and execute additional commands, enabling extensive access to the compromised server for data theft or further infiltration into the network. Security researchers have identified this as a “mass-exploitation” event, with active attacks reported shortly after a proof-of-concept exploit was released. To mitigate the risks, Zimbra has issued patches, and system administrators are advised to disable the postjournal service if not needed and ensure proper network configurations.

Vulnerability Details

• CVE Identifier: CVE-2024-45519
• Affected Service: Zimbra’s postjournal service
• Attack Vector: Specially crafted emails sent to the SMTP server

Exploit Mechanism

• Attackers send emails with malicious commands in the CC field.
• The Zimbra server processes these commands, executing them via the ‘sh’ shell.
• Base64 encoded strings are used to establish a webshell that listens for specific cookie values.

Recommendations

• Immediate Action: Apply security updates from Zimbra, specifically versions 9.0.0 Patch 41 or later, versions 10.0.9 and 10.1.1, and Zimbra 8.8.15 Patch 46 or later.
• Preventive Measures: Disable the postjournal service if it is not required and ensure that ‘mynetworks’ is correctly configured to limit unauthorized access.

The ongoing exploitation of this vulnerability underscores the importance of prompt security updates and vigilant system configurations to protect against potential breaches.