According to Project Discovery's analysis of the issue, the fault lies in Zimbra's postjournal library and can be attributed to inadequate user input sanitization. Attackers can, and evidently are, adding bogus CC addresses to emails that spoof Gmail. Instead of legitimate email addresses, CC fields are populated with base64 strings, which are then parsed and executed by Zimbra's mail servers.
Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality, the researchers said. Project Discovery's report notes that while unpatched Zimbra versions offer a degree of protection from this attack, it can be bypassed with a small syntax tweak in the command.
Proofpoint said on Tuesday the attacker, or attackers, is unknown, and for unknown reasons the same server used to send the malicious emails is also hosting the second-stage payload. The attacker(s) appears to be attempting to build webshells on vulnerable Zimbra servers, which offer support for command execution and the download and execution of files.
If you're using Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday, said Ivan Kwiatkowski, lead cyber threat researcher at HarfangLab.
Collection
[
|
...
]