"The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands..." Proofpoint noted. This approach allows attackers to leverage the flaw found in CVE-2024-45519 to execute commands remotely without authentication, highlighting the potential severity of the exploit on vulnerable Zimbra installations.
"While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation," warned Ashish Kataria, a security architect engineer at Synacor. This emphasizes the importance of timely software updates in securing systems against vulnerabilities, regardless of their current configuration.
Proofpoint identified a series of CC'd addresses that when decoded, attempt to write a web shell on a vulnerable Zimbra server... The installed web shell subsequently listens for inbound connection with a pre-determined JSESSIONID Cookie field, and if present, it proceeds to parse the JACTION cookie for Base64 commands. This highlights the sophisticated methods attackers are using to exploit vulnerabilities in communication software.
"For Zimbra systems where the postjournal feature is not enabled and the patch cannot be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied," suggested Ashish Kataria. This recommendation underscores the critical need for organizations to have contingency plans when dealing with significant security vulnerabilities.
Collection
[
|
...
]