Summary

CVE-2024-45519 is a critical security vulnerability discovered in the postjournal service of Zimbra Collaboration Suite, a popular email and collaboration platform. This vulnerability has still not been given a CVSS score but it enables remote attackers to execute arbitrary code on affected systems, potentially leading to unauthorized access, data breaches, and full system compromise.

Affected Systems and/or Application

• Application: Zimbra Collaboration Suite (ZCS)
• Versions Affected: 8.8.15 (up to Patch 45) and 9.0.0 (up to Patch 40)
• Platforms: All supported platforms (Linux, Mac OS X)

Technical Details / Attack Overview

CVE-2024-45519 is a remote code execution (RCE) vulnerability located in the postjournal service email processing module of Zimbra Collaboration Suite. The flaw stems from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands without needing to authenticate. Attackers can exploit this vulnerability by sending a specially crafted email aimed at bypassing the user input sanitization to a vulnerable Zimbra server.

The exploitation process involves:

1. ⁠Identifying a Zimbra server running a vulnerable version.
2. ⁠Crafting an email with specific payloads designed to bypass the user input sanitization.
3. ⁠Sending the crafted email to the target server, causing the server to execute the arbitrary code execution.

Recommendations

1. Update Affected Systems: Immediately update to the latest patched versions: 8.8.15 Patch 46 and 9.0.0 Patch 41 or update to 10.0.9 or 10.1.1, where the vulnerability has been addressed.
2. ⁠Apply Workarounds: If immediate updating is not possible, consider temporarily disabling or restricting access to the postjournal service until the update can be applied.
3. ⁠Restrict Email Ingress: Use email security gateways to filter and block potentially malicious email content before it reaches the Zimbra server.
4. Monitor Logs: Monitor system logs for any suspicious activities related to the postjournal service.

General Recommendations

• Network Segmentation: Isolate Zimbra servers from the rest of the network to limit exposure.
• ⁠Regular Patching: Implement a patch management strategy to ensure timely updates of all software.
• Monitoring and Logging: Enable detailed logging and monitor for unusual activity or potential indicators of compromise.
• ⁠User Training: Conduct regular training sessions to make users aware of phishing and email-based attack vectors.
• ⁠Backup and Recovery: Ensure regular backups of Zimbra data and verify the ability to restore them to minimize downtime in case of an attack.

What is the CFC doing ?

The CFC will continue to monitor the situation and send an advisory update if needed. Clients with vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin will be made available by the vuln scan provider.

References

• Feedly Threat Intelligence Report
• NIST National Vulnerability Database
• Zimbra Security Center
• Dark Reading Article
• Project Discovery Article – Zimbra – Remote Command Execution (CVE-2024-45519)
• Zimbra Patch Downloads:
  • https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/patch_installation
  • https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/patch_installation
  • https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.0/patch_installation
  • https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.0/patch_installation

‍