DIVD-2024-00040 - Zimbra Collaboration (ZCS) vulnerable for RCE under specific conditions

Our reference DIVD-2024-00040
Case lead Oscar Vlugt
Researcher(s)
CVE(s)
Products
  • Zimbra Collaboration (ZCS)
Versions
  • Version 8 before 8.8.15 patch 46
  • Version 9 before 9.0.0 patch 41
  • Version 10 before 10.0.9
  • Version 10.1 before 10.1.1
Recommendation Update to non vulnerable versions
Patch status Patch available
Workaround None
Status Closed
Last modified 26 Nov 2024 22:39 CET

Summary

Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

Recommendations

To remediate CVE-2024-45519 apply the updates listed at the Zimbra Security Center. You can find a link to the Zimbra Security Center at the bottom of this post.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Zimbra Collaboration (ZCS) and to notify these parties. We do this by looking at the version numbers if possible. Although our fingerprinting cannot confirm if instances are vulnerable under the specific conditions, we want to issue a warning that parties should upgrade or patch if their instance falls within the specified vulnerable versions.

Timeline

Date Description
25 Sep 2024 DIVD starts researching the vulnerability.
06 Oct 2024 DIVD finds fingerprint, preparing to scan.
08 Oct 2024 Case opened, first version of this casefile
08 Oct 2024 DIVD starts scanning the internet for vulnerable instances.
09 Oct 2024 DIVD starts notifying network owners with a possible vulnerable instance in their network.
26 Nov 2024 DIVD conducted a rescan and notified possible vulnerable instance owners for the second time.
26 Nov 2024 Closing case.
gantt title DIVD-2024-00040 - Zimbra Collaboration (ZCS) vulnerable for RCE under specific conditions dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00040 - Zimbra Collaboration (ZCS) vulnerable for RCE under specific conditions (62 days) :2024-09-25, 2024-11-26 section Events DIVD starts researching the vulnerability. : milestone, 2024-09-25, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-10-06, 0d Case opened, first version of this casefile : milestone, 2024-10-08, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-10-08, 0d DIVD starts notifying network owners with a possible vulnerable instance in their network. : milestone, 2024-10-09, 0d DIVD conducted a rescan and notified possible vulnerable instance owners for the second time. : milestone, 2024-11-26, 0d Closing case. : milestone, 2024-11-26, 0d

More information