Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical Vulnerability In Zimbra Collaboration Enables Remote Command Execution, Patch Immediately!
Image
Published : 02/10/2024
Reference:
Advisory #2024-235
Version:
1.0
Affected software:
Zimbra Collaboration (before: 9.0.0 Patch 41; 10.0.9; 10.1.1; 8.8.15 Patch 46)
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2024-45519, CVSS score is not available.
Sources
Zimbra: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Risks
The vulnerability presents a significant risk due to its potential for remote code execution, which could allow attackers to gain control over affected systems. This threat is further amplified by the availability of proof-of-concept exploits and the fact that the vulnerability is actively being exploited in the wild.
Furthermore, the vulnerability has a high impact on confidentiality, integrity, and availability.
Description
The vulnerability stems from improper input sanitization within the postjournal binary, which handles and processes recipient email addresses in SMTP messages. The flaw lies in the msg_handler() function, where user-supplied email addresses are parsed and passed unsanitized to the popen function, enabling command injection.
Exploitation Impact:
- Arbitrary Command Execution - attackers can execute any system command under the Zimbra user context, gaining unauthorised access to the system.
- Privilege Escalation - once inside the system, attackers could escalate their privileges, access sensitive data, or compromise the server further.
- Potential Impact - compromising the Zimbra platform could lead to the theft of emails, confidential information, and potentially allow lateral movement within a network, depending on the attacker’s objectives.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
The Hacker News: https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html
SOCRadar: https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/