The Nigeria Computer Emergency Response Team (ngCERT) has issued an alert regarding a critical Remote Code Execution (RCE) vulnerability affecting the Zimbra Collaboration Suite (ZCS), a widely-used email and collaboration platform.
In a statement seen by Technology Times, ngCERT warns that the vulnerability allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. Successful exploitation could result in system compromise, data theft, and malware infiltration, among other malicious activities.
“ngCERT is aware of a critical Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely used email and collaboration platform, says ngCERT. “The flaw dubbed (CVE-2024-45519), allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations.”
According to ngCERT, the flaw, identified as CVE-2024-45519, could allow attackers to execute arbitrary commands without authentication, leading to system compromise, data theft, and malware infiltration. The alert comes amid growing concerns over cybersecurity threats in Nigeria, with authorities stepping up efforts to protect critical infrastructure and sensitive data.
How the attack works
The flaw, says the agency, exists in Zimbra’s postjournal service, which processes incoming emails over SMTP. Attackers exploit this by sending specially crafted emails that include malicious commands in the carbon copy (CC) field. When the postjournal service processes the email, the commands—encoded in base64 format – are executed, allowing hackers to install a webshell on the server.
“These emails contain base-64 encoded strings that are executed via the ‘sh’ shell to build and drop a webshell on the Zimbra server,” says ngCERT. “Once the webshell is installed, it listens for inbound connections containing a specific JSESSIONID cookie field. If the correct cookie is detected, the webshell parses another cookie (JACTION) that contains base64-encoded commands to execute.”
ngCERT highlighted further that once deployed, this webshell listens for specific inbound connections, enabling attackers to:
• Gain full access to email servers, intercepting communications.
• Exfiltrate sensitive data, posing risks to businesses and government agencies.
• Deploy ransomware or other malware, leading to financial and operational damage.
ngCERT’s call to action
Given the potential risks, ngCERT has urged organisations, IT administrators, and security teams to take proactive steps to mitigate the threat. The agency recommends:
• Disabling the postjournal service if not required.
• Ensuring ‘mynetworks’ is correctly configured to prevent unauthorized access.
• Applying the latest security patches provided by Zimbra to close the vulnerability.
ngCERT, established in 2014 to prepare for, protect against, and secure Nigeria’s cyberspace in anticipation of potential attacks, issues, or events. Operating under the Office of the National Security Adviser, ngCERT is responsible for minimising the occurrence of future incidents to foster a safe, secure, and resilient cyberspace in the country.
Article edited by Yusuf Balogun.
Home
