Pierluigi Paganini
October 02, 2024
Proofpoint cybersecurity researchers reported that threat actors are attempting to exploit a recently disclosed vulnerability, tracked as CVE-2024-45519, in Synacor’s Zimbra Collaboration.
Starting on September 28, 2024, threat actors have been attempting to exploit the issue to achieve remote code execution on vulnerable instances.
Threat actors started exploring the vulnerability after the cybersecurity firm Project Discovery released technical details of the vulnerability and PoC exploit code.
“Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.” reads a blog post published by Project Discovery. “In this blog post, we delve into the nature of this vulnerability, our journey in analyzing the patch, and the steps we took to exploit it manually. “
The vulnerability CVE-2024-45519 is a remote code execution vulnerability in Zimbra mail servers that was discovered by the security researcher lebr0nli (Alan Li). Versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024 address the vulnerability.
The attackers spoofed Gmail, sending emails with base64 strings to be executed by Zimbra servers. The same server is used to send exploit emails and host second-stage payloads. The experts have yet to identy the threat actor behind this campaign.
Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers.
— Threat Insight (@threatinsight) October 1, 2024
The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute… https://t.co/VmnQkDypkg pic.twitter.com/RJr9jawwWl
“Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.” warned Proofpoint on X. “For unknown reasons, the threat actor is using the same server to send the exploit emails and host second-stage payloads. The activity is unattributed at this time.”
Some emails from the same sender used CC’d addresses to attempt building a webshell on vulnerable Zimbra servers. The attackers wrapped the full CC list in a string, and concatenating the base64-encoded blobs, they decode to a command to write a webshell to the following URL: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.
Once the webshell is deployed, it listens for connections with a specific JSESSIONID cookie and parses the JACTION cookie for base64 commands. The webshell can execute commands or download and run files via a socket connection.
Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over… pic.twitter.com/ax2mouwsDS
— Threat Insight (@threatinsight) October 1, 2024
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zimbra)
