A security flaw in Synacor’s Zimbra Collaboration software was recently identified. Cybersecurity researchers warned against actively exploiting the vulnerability.
The attacks aim to exploit a severe security bug in Zimbra’s postjournal service, identified as CVE-2024-45519, potentially allowing threat actors to execute arbitrary commands on affected service installations. Security firm Proofpoint started observing activity on September 28, 2024.
In a series of posts on X, Proofpoint said, “The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands.” The addresses contained base64-encoded malicious code that is executed with the sh utility.
Security researcher Alan Li, named lebr0nli on GitHub, was credited for discovering and reporting the flaw. Zimbra addressed the critical flaw in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1, released on September 4, 2024. A Synacor security architect engineer, Ashish Kataria, stated that it is necessary to install the provided patches. At the same time, the postjournal feature may not be enabled or optional on most systems to avoid possible exploitation.
If the postjournal feature is not enabled and the patch cannot be applied this instant for specific Zimbra systems, the postjournal binary can be removed as a temporary measure till the patch is available for said systems.
Proofpoint identified a series of CC’d addresses that, when decoded, attempt to write a web shell on a vulnerable Zimbra server. The installed web shell uses specially crafted HTTP requests to remotely access the server, alter files, run arbitrary commands, and access sensitive data. The web shell is pre-equipped with support for command execution and the ability to download and run a file over a socket connection.
“Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands,” Proofpoint said.
A threat researcher at HarfangLab, Ivan Kwiatkowski said that the malicious emails are coming from IP address 79.124.49[.]86, which seems to be based in Bulgaria. Activity related to potential exploitation began one day after Project Discovery released details of the critical issue. As attempts are being made to exploit the flaw in the wild actively, it is recommended that up-to-date patches be applied to protect against potential threats.
In the News: LockBit suffers financial sanctions and four arrests as part of Operation Cronos
