A new critical unauthorized access vulnerability impacting the Zimbra suite has been reported. It has been assigned the reference CVE-2024-45519 and a CVSS 3.1 score of 9.8. The Stormshield Customer Security Lab details our protection offerings.
It should be noted that this vulnerability has public proof-of-concepts, allowing attackers to easily exploit this vulnerability.
Initial vector attack of the Zimbra vulnerability
The vulnerability allows an unauthenticated attacker to trigger remote code execution on the Zimbra server with a specially crafted email.
Technical details of the Zimbra vulnerability
The postjournal
service does not perform sufficient sanitization of received data before having it interpreted by the evecvp
function. The attacker can use the recipient's email address field to store shell commands that will be executed by the server.
However, it should be noted that the postjournal
service is not enabled in a default configuration.
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1190 (Exploit Public-Facing Application)
How to protect against the Zimbra vulnerability with Stormshield Network Security
Protection against CVE-2024-45519
Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2024-45519 with the following pattern:
- smtp:client.18 : Exploitation of a remote code execution vulnerability in Zimbra (CVE-2024-45519)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the Zimbravulnerability
It is strongly recommended to update the Zimbra suite to one of the following versions:
- 8.15 patch 46
- 0.0 patch 41
- 0.9
- 1.1