Zimbra, a popular email and collaboration platform, has issued a crucial security update to patch a severe vulnerability in its postjournal service. Identified as CVE-2024-45519, this flaw allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.
The vulnerability was discovered in Zimbra’s post-journal service. Attackers could exploit it to run arbitrary commands without authentication, which poses a significant risk to the security and integrity of systems using the platform.
The security patch was hosted on Zimbra’s S3 bucket, s3(:)repo.zimbra.com, which was publicly accessible. Researchers obtained the patched version of the postjournal binary from the latest Zimbra patch package.
Instead of performing a binary diff, they reversed the binary using Ghidra to identify critical functions such as run_command.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
In the patched version, the function execvp is utilized with user input passed as an array, preventing direct command injection. An is_safe_input function was introduced to sanitize inputs and block special characters that could lead to command injection.
Researchers analyzed the unpatched version of the software and discovered that it used popen in the read_maps function without input sanitization, allowing command injection. By setting up a test server, they demonstrated how an SMTP message could exploit this vulnerability.
Proof of Concept
A proof of concept was developed using specific SMTP commands to execute arbitrary commands on the postjournal service running on port 10027. The exploit was initially successful internally but faced challenges when attempted remotely due to default configuration settings.
Researchers tested the exploit directly on the postjournal service via port 10027 using the following SMTP commands.
Zimbra users are strongly advised to apply the latest security patch immediately to protect their systems from potential exploitation. The update mitigates the risk by ensuring proper input sanitization and preventing unauthorized command execution.
Enabling Postjournal Service
Upon further investigation, it was discovered that the postjournal service is disabled by default. To enable it, the following commands were executed:
bashzmlocalconfig -e postjournal_enabled=true
zmcontrol restart
With the postjournal service enabled, researchers reran the exploit against SMTP port 25 and observed successful command execution.
For more information on this vulnerability and patch details, users can refer to Zimbra’s official security advisories.
A Nuclei template for CVE-2024-45519 has been developed to help identify vulnerable systems. This template can detect instances of vulnerability by simulating SMTP-based attacks.
This critical update underscores the importance of timely patch application and vigilant system monitoring. Users should update their Zimbra installations to prevent potential security breaches and maintain system integrity.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar