Unauthenticated Remote Code Execution in Zimbra Collaboration Suite

ISGroup Cybersecurity

CVE-2024-45519 is a critical Remote Code Execution (RCE) vulnerability in the Zimbra postjournal service, which is currently under active exploitation. Users are strongly advised to update their systems immediately, as a Proof of Concept (PoC) has demonstrated that the vulnerability can be exploited via specially crafted emails. Cyble sensors have detected over 90,000 Zimbra instances exposed on the internet with previous unpatched vulnerabilities, making rapid intervention by all Zimbra customers critical.

ProductZimbra imapd
Date2024-10-02 13:55:44
Information
  • Trending
  • Fix Available

Technical Summary

A critical Remote Code Execution vulnerability has been identified in versions of the Zimbra Collaboration Suite. This flaw is currently being actively exploited, allowing attackers to gain unauthorized access, execute arbitrary commands, and potentially escalate privileges. A successful exploit could compromise the integrity and confidentiality of affected systems, leading to full control of the target environment.

Recommendations

  • Immediate Patching: Zimbra administrators must update to the patched versions that add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Patched versions include: – 9.0.0 Patch 41 – 10.0.9 – 10.1.1 – 8.8.15 Patch 46

  • Configuration Verification: Administrators should verify the configuration of the mynetworks parameter to prevent external exploitation of the vulnerability.

  • Malicious Activity Monitoring: Monitor for suspicious emails and exploit attempts, particularly those originating from known sources such as the IP address 79.124.49[.]86.

[Callforaction-THREAT-Footer]