Attackers Exploit Critical Zimbra Vulnerability Using CC'd Email Addresses (arstechnica.com) 6
An anonymous reader quotes a report from Ars Technica: Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn. The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.
On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as "mass exploitation." He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report. On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable. [...]
Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. Proofpoint went on to say: "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."
On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as "mass exploitation." He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report. On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable. [...]
Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. Proofpoint went on to say: "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."
Well, you know what they say (Score:2)
Hakuna Matata.
Nice exploit! (Score:2)
off the cuff analysis (Score:2)
Postfix is a collection of services, including an MTA that processes incoming SMTP requests, and then figuring out how to route the message to the right place (ie. a mailbox). In Zimbra there is also a "postjournal service" -- not sure what it's exactly for, but it sounds like it does some kind of recipient logging.
This seems to be more than the trivial always_bcc setting in Postfix (see main.cf). That just sends a copy of every message the system processes to whatever fixed mailbox you want. I am guessing
Re: (Score:2)
> Anyway, somewhere in the chain (apparently the postjournal code), it will parse a recipient name as a shell command!
Maybe it supports | recipients or they intended a Unix domain socket to bridge to some Sarbox system?
Perhaps they should open source postjournal and get more eyes on it.
Re: (Score:2)
The exploit is to use multiple "recipients" to write a webshell into a jsp file that's part of the mail system (/jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp). I guess you can then invoke that admin tool over the web from the external Internet.
The CVE says You are not vulnerable to a attack unless you change some default setting. Unless you are disabling a core functionality in postjournal, I guess what they're referring to is a remote administration restriction setting.
No, that's not enough of a fix!
Since the admin console has been replaced with a webshell, as soon as anyone (e.g. an authorized local user) opens the page, you're fucked. The script is opening a listner.
Is there a setting that says, "Admin Scripts (or whatever) May Open network Listeners"? I rather doubt it.
The fix has to be (as you say) to prevent that script file from being overwritten in the first place. How that corresponds to a single default setting making you invulnerable is a mystery. And it can't
Wash your hands and sanitize your inputs (Score:2)
In the entire history of computers, there has never been an bug or exploit that that resulted from letting random people enter any characters they wanted into an input field, except almost from the very beginning and now.
obligatory:
https://m.xkcd.com/327/ [xkcd.com]