Exim, deployed on half of email servers, under attack

The mail transfer agent (MTA), deployed on more than half of all internet-facing mail servers, came under severe attacks from hacker groups days after the vulnerability in older versions was exposed

Exim, the mail transfer agent (MTA) deployed on close to 57 percent of all internet-facing mail servers, has come under severe attacks from hacker groups.

The vulnerability, tracked as CVE-2019-10149, affects Exim versions 4.87–4.91. It was flagged by the US Commerce Department’s National Institute of Standards and Technology. Users running the latest version (4.9.2) of Exim on their Linux box are safe for the time being.

Two of the attacking hacker groups have been identified, with one using a public internet server and while the other is accessing a dark web server, reported ZDNet.

Qualys, the research outfit that uncovered the flaw and named it The Return of the WIZard, pointed out that the vulnerability enables attackers to remotely run arbitrary commands as root — in most cases — on exposed servers.

"Exim is vulnerable by default since version 4.87 (released on 6 April 2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on 10 February, 2019)," said the Qualys report.

Amateur security researcher Freddie Leeman tweeted about the first wave of attacks on 9 June. "Detected multiple variants and they are changing the scripts too. The latest versions are directly downloading the binary payload and running it, skipping the gathering of system data and posting it," his tweet said.

"This once again proves how quickly threat actors will strike once a vulnerability is announced. Exploiting such a vulnerability causes maximum aggravation, not what the cyber-security specialists were possibly expecting," said Jake Moore, cyber-security specialist at ESET. "Taking out email traffic is not usually something we see in the way of a cyber-attack but naturally causes absolute havoc if carried out successfully."  

The US Department of Homeland Security announced on 13 June that Exim has released patches to address the vulnerability. "A remote attacker could exploit this vulnerability to take control of an affected email server. This vulnerability was detected in exploits in the wild," said the announcement.

"It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding," said Satnam Narang, senior research engineer at Tenable.

As expected, national security agencies across geographies have issued alerts.

"CERT.be recommends systems administrators to follow this up and to act accordingly should they be running a compromised version of Exim. The vulnerability has been patched in Exim 4.92. We recommend the installation of the latest version of this software in case you are still running an older version," announced the Cybersecurity and Infrastructure Security Agency (CISA) of Belgium.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews