'Patch yesterday': Zimbra mail servers under siege through RCE vuln

Attacks began the day after public disclosure

"Patch yesterday" is the advice from infosec researchers as the latest critical vulnerability affecting Zimbra mail servers is now being mass-exploited.

The remote code execution vulnerability (CVE-2024-45519) was disclosed on September 27, along with a proof of concept (PoC) exploit, and Proofpoint reports that attacks using it began the following day.

According to Project Discovery's analysis of the issue, the fault lies in Zimbra's postjournal library and can be attributed to inadequate user input sanitization.

Attackers can, and evidently are, adding bogus CC addresses to emails that spoof Gmail. Instead of legitimate email addresses, CC fields are populated with base64 strings, which are then parsed and executed by Zimbra's mail servers.

"Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality," the researchers said.

Project Discovery's report notes that while unpatched Zimbra versions offer a degree of protection from this attack, it can be bypassed with a small syntax tweak in the command.

Its PoC exploit worked on ports 10027 and 25, and after some teething issues, it was proven to work remotely too, as evidenced by the exploit attempts since.

Proofpoint said on Tuesday the attacker, or attackers, is unknown, and "for unknown reasons" the same server used to send the malicious emails is also hosting the second-stage payload.

The attacker(s) appears to be attempting to build webshells on vulnerable Zimbra servers, which offer support for command execution and the download and execution of files.

Ivan Kwiatkowski, lead cyber threat researcher at HarfangLab, said: "If you're using Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday."

Per Zimbra's security advisory page, the bug was initially reported by Alan Li, a computer science graduate student from Taiwan's National Yang Ming Chiao Tung University.

Like many of the recent vulnerabilities reported to the company behind the business email and collaboration platform, it has not yet been assigned a severity score.

However, Project Discovery's take was that it carried a "critical" severity rating – a classification reserved only for the most dire vulnerabilities.

The CVE identifier was assigned and is recognized by the National Vulnerability Database (NVD), but the organization's struggle to analyze and enrich the data of CVEs continues as its backlog is still significant.

In February this year, the NVD announced a slowing down of its vulnerability analyses, saying it needed time to "address challenges in the NVD program and develop improved tools and methods."

At this point, the backlog was steep – around 18,000 vulnerabilities – but by May, 93.4 percent of the total lacked key details for defenders, according to VulnCheck.

The National Institute of Standards and Technology (NIST), which maintains the NVD, a US government program, handed a contract to a third party, Analygence, in May to help clear the backlog.

This has helped reduce the heap meaningfully and, as of now, only 14.1 percent of new CVEs don't have a severity score. However, NIST had originally set a deadline of September 30 to clear things up entirely, so there is still work to be done. ®