An alarming security vulnerability in Zimbra’s postjournal service, known as CVE-2024-45519, has put more than 19,600 public Zimbra installations at risk of remote code execution attacks. This critical flaw, rated with a CVSS score of 9.8, enables malicious actors to execute arbitrary commands on vulnerable Zimbra systems without needing to authenticate, posing a grave threat to the overall security and stability of these installations.
Recent scans carried out on October 6, 2024, have unveiled a large number of unpatched Zimbra instances worldwide. Among the countries most affected by this vulnerability are Germany with 1.6K vulnerable installations, the United States with 1.6K, and Russia with 1.5K.
CVE-2024-45519 exposes an OS command injection flaw in Zimbra’s postjournal service, a component used for tracking email communications. The vulnerability stems from inadequate input validation in the read_maps function, where user-provided data is directly fed into the popen function without proper sanitization. This loophole grants attackers the ability to inject and execute arbitrary commands on the servers.
Reports have emerged regarding active exploitation of this vulnerability, with threat actors sending emails mimicking Gmail accounts and including base64-encoded strings in the CC fields. Once decoded, these strings trigger commands on vulnerable Zimbra servers, leading to the deployment of webshells that establish persistent unauthorized access to compromised systems.
To address this critical security issue, Zimbra administrators are strongly urged to promptly apply the latest security patches offered by the company. Versions 8.8.15, Patch 46, 9.0.0, Patch 41, 10.0.9, and 10.1.1 have been released to mitigate the CVE-2024-45519 vulnerability. Furthermore, administrators should consider deactivating the postjournal service if it is not essential and configuring the mynetworks parameter correctly to thwart unauthorized access attempts.
The severity of CVE-2024-45519 and the ongoing exploitation underline the critical importance of timely patch application and robust security protocols. It is imperative for Zimbra administrators to take immediate action to secure their systems and prevent potentially devastating breaches.
In conclusion, staying informed about security updates, implementing necessary patches, disabling unnecessary services, and configuring network parameters correctly are key practices to safeguard Zimbra installations against advanced cyber threats. By adhering to these recommendations and maintaining vigilance, administrators can fortify their systems against malicious attacks and ensure the integrity of their email communication platforms.