Zimbra: Code smuggling loophole under attack
There is a gaping security hole in the Zimbra collaboration software that attackers are already actively abusing. Admins should update quickly.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There is a gaping security hole in the groupware Zimbra that allows malicious code to be injected and executed. Attackers are already abusing the vulnerability in the wild. IT managers with Zimbra installations should install the available updates as soon as possible.
The IT security researchers at Proofpoint have published information on X about the attacks on the Zimbra vulnerability. According to this, the attacks on the vulnerability with the CVE number CVE-2024-45519 began on September 28. Attackers sent emails with a forged Gmail sender address to forged email addresses in the CC: field in an attempt to have Zimbra process them and execute them as commands. The addresses contained Base64-encoded strings that are executed with sh on the shell. The actual malicious code comes from the same server from which the exploit emails originate. Proofpoint has not yet discovered the cause of this. The attackers' affiliation with known criminal groups is also still unclear.
Attackers set up webshells
Some emails from the same sender have used a number of CC: addresses in an attempt to set up a webshell on vulnerable Zimbra servers. The complete CC: list is wrapped in a string. If you connect the Base64 blobs, they decode into a command that writes a webshell to the file /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. The webshell itself listens for incoming connections with a specific JSESSIONID cookie field. If this is present, the webshell processes the JACTION cookie and searches for Base64-encoded commands.
The webshell can execute commands via exec or download and execute files via a socket connection, concludes the Proofpoint analysis. Interested parties can find more details at Projectdiscovery. The IT researchers analyze the vulnerability in Zimbra in a blog post and present the development of an exploit based on the findings. This only works after the IT analysts have activated the "postjournal" option, which is apparently not the case by default.
Zimbra's website contains a brief reference to the vulnerability. According to this, the developers are closing a security gap in the postjournal service with new software versions, which allows attackers to execute commands without prior authentication. Information on the CVE number CVE-2024-45519 is not yet publicly available. The exact vulnerability description, specific CVSS value and risk classification are therefore still missing. The update to the bug-fixed versions Zimbra 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9 and 10.1.1 fixes the security vulnerability. They also close other security vulnerabilities such as server-side request forgery, which allows unauthorized access to internal services, and others. Admins should download and install the new installation packages from the Zimbra download page immediately if their installations are not yet up to date.
Attacks on a security vulnerability in Zimbra also took place in the middle of last year. At that time, it was a cross-site scripting vulnerability. Attackers were able to gain unauthorized access to files.
(dmk)