Zimbra Remote Code Execution Vulnerability (CVE-2024-45519)
Summary
OEM | Zimbra |
Severity | Critical |
Date of Announcement | 2024-10-02 |
CVSS Score | 10.0 |
CVE | CVE-2024-45519 |
CWE | -- |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A critical vulnerability (CVE-2024-29847) has been identified in Ivanti Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw is due to a deserialization of untrusted data issue in the AgentPortal.exe service, specifically within the .NET Remote framework. Exploitation can allow attackers to perform file operations such as reading or writing files on the server, potentially leading to full system compromise.
Vulnerability Name | CVE ID | Product Affected | Impact | CVSS Score |
Zimbra - Remote Command Execution | CVE-2024-45519 | Zimbra Collaboration Suite (ZCS) | Critical | 10.0 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-45519 | Zimbra Collaboration Suite (ZCS) prior to 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 | Attackers sent spoofed emails, appearing to be from Gmail, with base64-encoded malicious code in the CC field. This code tricks Zimbra server into executing it as shell commands instead of processing it as email addresses. The goal is to create a web shell on vulnerable servers, enabling remote access and control. Once installed, the web shell listens for specific cookie values to execute commands or download malicious files. | Complete remote control of the affected Zimbra instance. |
Remediation
- Patch Immediately Administrators are strongly advised to update their Zimbra servers to the latest patched versions: 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, 10.1.1
- Disable postjournal if unused To minimize the attack surface, it is advisable to completely disable the postjournal service if your organization doesn’t require it.
- Verify Network Configurations Ensure that the mynetworks parameter is correctly configured to limit access to trusted IP ranges, preventing unauthorized access.
- Monitor for Indicators of Compromise (IoCs) Security teams should monitor network traffic and Zimbra server logs for unusual activity, such as connections from suspicious IP addresses (e.g., 79.124.49[.]86).