Vulnerability Affects Half of the Internet's Email Servers

Minimalist · Mar 6, 2018

A critical vulnerability affects hundreds of thousands of email servers. A fix has been released but this flaw affects more than half of the Internet's email servers, and patching the issue will take weeks if not months.

The bug is a vulnerability in Exim, a mail transfer agent (MTA) —software that runs on email servers and which relays emails from senders to recipients.

According to a survey conducted in March 2017, 56% of all of the Internet's email servers run Exim, with over 560,000 available online at the time. Another more recent report puts that number in the millions.
Click to expand...

https://www.bleepingcomputer.com/ne...-affects-half-of-the-internets-email-servers/

JoWazzoo · Mar 6, 2018

Wow - Exim is so basic...

guest · Jun 5, 2019

New RCE vulnerability impacts nearly half of the internet's email servers
Exim vulnerability lets attackers run commands as root on remote email servers
June 5, 2019
https://www.zdnet.com/article/new-r...s-nearly-half-of-the-internets-email-servers/

A critical remote command execution (RCE) security flaw impacts over half of the Internet's email servers, security researchers from Qualys have revealed today.
The vulnerability affects Exim, a mail transfer agent (MTA), which is software that runs on email servers to relay emails from senders to recipients.
EXIM REMOTE COMMAND EXECUTION
In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91.

Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account.
Furthermore, the Qualys team says that when Exim is in certain non-default configurations, instant exploitation is also possible in remote scenarios.
Click to expand...

In an email to Linux distro maintainers, Qualys said the vulnerability is "trivially exploitable" and expects attackers to come up with exploit code in the coming days.

This Exim flaw is currently tracked under the CVE-2019-10149 identifier, but Qualys refers to it under the name of "Return of the WIZard" because the vulnerability resembles the ancient WIZ and DEBUG vulnerabilities that impacted the Sendmail email server back in the 90s.
Click to expand...

guest · Jun 13, 2019

mood said: ↑

New RCE vulnerability impacts nearly half of the internet's email servers
Exim vulnerability lets attackers run commands as root on remote email servers
June 5, 2019
https://www.zdnet.com/article/new-r...s-nearly-half-of-the-internets-email-servers/
Click to expand...

Exim email servers are now under attack
June 13, 2019
https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/

FIRST GROUP AND THE FIRST WAVE OF ATTACKS
According to self-described security enthusiast Freddie Leeman, the first wave of attacks started on June 9, when the first hacker group started blasting out exploits from a command-and-control server located on the clear web
SECOND GROUP ENTERS THE FOLD
Parallel to this group, a second wave of attacks carried out by a second group was also seen get underway on June 10, Magni R. Sigurðsson, a security researcher at Cyren told ZDNet today in an email.
"The immediate objective of the current attack is to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account," Sigurðsson told ZDNet.

This second wave of attacks, more advanced than the first, were also spotted today by Cybereason Head of Security Research Amit Serper, confirming that the group had not only continued to operate but had also amplified its attacks enough to pop up on the honeypots of other security firms as well.
For now, the only thing Exim server owners can do is to update to version 4.92 as soon as possible, and prevent any attacks from impacting their email servers.
Click to expand...

guest · Jun 14, 2019

mood said: ↑

Exim email servers are now under attack
Click to expand...

Millions of Email Servers at Risk from Cryptomining Worm
June 14, 2019
https://www.infosecurity-magazine.com/news/millions-email-servers-risk-from-1/

Researchers have spotted a major new cyber-attack campaign targeting millions of Linux email servers around the world with a cryptomining malware payload.

“This is a highly pervasive campaign that installs cron jobs for persistence and downloads several payloads for different stages of the attack. In one of those stages, one of the payloads is a port scanner written in python. It looks for additional vulnerable servers on the internet, connects to them, and infects them with the initial script,” wrote Cybereason.
“In the attack, the attackers add an RSA authentication key to the SSH server which allows them to connect to the server as root and own it completely.”

"[...] They used hidden services on the TOR network to host their payloads and created deceiving windows icon files in an attempt to throw off researchers and even system administrators who are looking at their logs,” concluded Cybereason.
Click to expand...

Cybereason: New Pervasive Worm Exploiting Linux Exim Server Vulnerability

guest · Jun 16, 2019

Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)
June 14, 2019
https://blogs.technet.microsoft.com...a-linux-worm-by-updating-exim-cve-2019-10149/

This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.

Azure has controls in place to help limit the spread of this worm from work we’ve already done to combat SPAM, but customers using the vulnerable software would still be susceptible to infection.
[...]
It is for these reasons that we strongly advise that all affected systems – irrespective of whether NSGs are filtering traffic or not – should be updated as soon as possible.  
Click to expand...

guest · Jun 24, 2019

mood said: ↑

Exim email servers are now under attack
Click to expand...

The “Return of the WiZard” Vulnerability: Crooks Start Hitting
June 24, 2019
https://blog.yoroi.company/research/the-return-of-the-wizard-vulnerability-crooks-start-hitting/

In the past days, a really important issue has been disclosed to the public: “Return of the WiZard” vulnerability (ref. EW N030619, CVE-2019-10149).

Cybaze-Yoroi ZLAB observed many attack attempts trying to spread malware abusing the CVE-2019-10149 issue [...] or also the 9th June wave which tried to download a particular Linux agent. Yoroi-Cybaze ZLab analyzed this malware threat.
Conclusion
This attack wave shows how simple can be for an attacker to run a widespread attacks with customized malware, threatening all the unpatched Exim services exposed all around the Internet. In this analysis, we encountered an effective information stealer able to easily gather sensitive information about the compromised system.
Anyway, this case represents only one possible attack scenario abusing the “Return of the WiZard” vulnerability: cryptominers, botnets or also ransomwares could also leverage this weakness, along with APT groups.
Click to expand...

guest · Sep 6, 2019

Critical Exim TLS Flaw Lets Attackers Remotely Execute Commands as Root
September 6, 2019
https://www.bleepingcomputer.com/ne...-attackers-remotely-execute-commands-as-root/

The Exim mail transfer agent (MTA) software is impacted by a critical severity vulnerability present in all versions up to and including 4.92.1, and allowing remote attackers to execute programs with root privileges on all servers that accept TLS connections.

The flaw tracked as CVE-2019-15846 — initially reported by 'Zerons' on July 21 and analyzed by Qualys' research team — is "exploitable by sending an SNI ending in a backslash-null sequence during the initial TLS handshake" which leads to RCE with root privileges on the mail server.

"If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected," says Exim's development team.
No exploits to be found, PoC exploit is available
On September 4, Exim's development team published an early warning on the Openwall information security mailing list to give everyone a heads-up notice that a critical security flaw affecting Exim will be patched today with the release of the 4.92.2 version.
Exim developer Heiko Schlittermann told BleepingComputer that the Exim development team will not backport the fix released today for the CVE-2019-15846 security flaw [...]
Click to expand...

guest · Sep 7, 2019

Exim fails to properly handle peer DN and SNI in TLS handshakes
Vulnerability Note VU#672565
September 6, 2019
https://kb.cert.org/vuls/id/672565/

Overview
Exim version 4.8.0 up to and including 4.92.1 does not properly handle peer distinguished names (DN) and Sever Name Indication (SNI) during a TLS negotiation. This could allow a local or remote unauthenticated attacker to execute arbitrary code with root privileges.
Impact
A local or remote unauthenticated attacker can execute arbitrary code with root privileges.
Solution
This vulnerability is addressed in Exim 4.92.2. For further information see the Exim advisory for CVE-2019-15846.
Click to expand...

guest · Sep 20, 2019

mood said: ↑

Exim fails to properly handle peer DN and SNI in TLS handshakes
Vulnerability Note VU#672565
September 6, 2019
https://kb.cert.org/vuls/id/672565/
Click to expand...

Last Revised: 2019-09-18:
Exim fails to properly handle trailing backslashes in string_interpret_escape()
Vulnerability Note VU#672565
September 18, 2019
https://kb.cert.org/vuls/id/672565/

Overview
Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the string_interpret_escape() function. This function is used to handle peer distinguished names (DN) and Sever Name Indication (SNI) during a TLS negotiation. This vulnerability could allow a local or remote unauthenticated attacker to execute arbitrary code with root privileges.
Impact
By causing a vulnerable Exim server to process an SMTP email message, a local or remote unauthenticated attacker may be able to execute arbitrary code with root privileges.
Solution
Apply an update: This vulnerability is addressed in Exim 4.92.2. For further information see the Exim advisory for CVE-2019-15846.
Use ACLs to block attack attempts: The Exim advisory provides ACLs to deny email messages with trailing backslashes in TLS SNI or peer DN fields: [...]
Click to expand...

guest · Sep 30, 2019

New Critical Exim Flaw Exposes Email Servers to Remote Attacks — Patch Released
September 30, 2019
https://thehackernews.com/2019/09/exim-email-security-vulnerability.html

A critical security vulnerability has been discovered and fixed in the popular open-source Exim email server software, which could allow a remote attacker to simply crash or potentially execute malicious code on targeted servers.

Exim maintainers today released an urgent security update—Exim version 4.92.3—after publishing an early warning two days ago, giving system administrators an early head-up on its upcoming security patches that affect all versions of the email server software from 4.92 up to and including then-latest version 4.92.2.
This is the second time in this month when the Exim maintainers have released an urgent security update. Earlier this month, the team patched a critical remote code execution flaw (CVE-2019-15846) in the software that could have allowed remote attackers to gain root-level access to the system.

Identified as CVE-2019-16928 and discovered by Jeremy Harris of Exim Development Team, the vulnerability is a heap-based buffer overflow (memory corruption) issue in string_vformat defined in string.c file of the EHLO Command Handler component.
Click to expand...

guest · Oct 1, 2019

Exim Vulnerability (CVE-2019-16928): Global Exposure Details and Remediation Advice
October 1, 2019
https://blog.rapid7.com/2019/10/01/...obal-exposure-details-and-remediation-advice/

On Sept. 27, 2019, CVE-2019-16928 was promulgated, indicating that all versions from 4.92.0 through 4.92.2 were vulnerable to a heap-based buffer overflow that could potentially allow for denial of service or arbitrary code execution on Exim mail servers. Exim version 4.92.3 was promptly released to remedy the identified vulnerability [...]
Exim vulnerability exposure across the world
When we used Sonar to scan the internet and then applied Recog to fingerprint for Exim, we found approximately 4.75 million Exim assets, of which 72.5% were some variant of Exim 4.92.*.

Before we get much further, please note that the scanner-based data we’re leveraging here was collected on Sept. 19 and therefore predates the Sept. 27 announcement and patch. This means it is possible that there are fewer exposed pre-4.92.3 systems today—though probably not by much.
We identified the distribution of autonomous systems with the most significant manifestations of Exim 4.92.*: [...]
Click to expand...

guest · May 28, 2020

mood said: ↑

New RCE vulnerability impacts nearly half of the internet's email servers
Exim vulnerability lets attackers run commands as root on remote email servers
June 5, 2019
https://www.zdnet.com/article/new-r...s-nearly-half-of-the-internets-email-servers/
Click to expand...

NSA: Russian govt hackers exploiting critical Exim flaw since 2019
May 28, 2020
https://www.bleepingcomputer.com/ne...ers-exploiting-critical-exim-flaw-since-2019/

The U.S. National Security Agency (NSA) says that Russian military threat actors known as Sandworm Team have been exploiting a critical flaw in the Exim mail transfer agent (MTA) software since at least August 2019.

The vulnerability tracked as CVE-2019-10149 and named "The Return of the WIZard" makes it possible for unauthenticated remote attackers to execute arbitrary commands as root on vulnerable mail servers after sending a specially crafted email.

"When the patch was released last year, Exim urged its users to update to the latest version," the agency says. "NSA adds its encouragement to immediately patch to mitigate against this still current threat."
Attacks started after the Exim flaw got patched
GRU Main Center for Special Technologies (GTsST) hackers have started exploiting victims' unpatched Exim serves after an update was issued on June 5, 2019, for users to patch their vulnerable servers.
Click to expand...

guest · Jun 2, 2020

Critical Exim bugs being patched but many servers still at risk
June 2, 2020
https://www.bleepingcomputer.com/ne...being-patched-but-many-servers-still-at-risk/

Patching Exim mail servers is not going fast enough and members of the Russian hacker group Sandworm are actively exploiting three critical vulnerabilities that allow executing remote command or code remotely.
Close to a million Exim servers are currently exposed and vulnerable, although the number is gradually getting lower every day. Exim 4.93 is currently considered a safe release.
Broader attack campaign
The U.S. National Security Agency (NSA) on Thursday warned that since August last year, the hackers have been leveraging CVE-2019-10149 ("The Return of the WIZard“).

Researchers at RiskIQ found that Sandworm’s attacks use two more security security bugs in unpatched Exim servers. Both are critical and can be exploited remotely without authentication to run code or applications with root privileges: [...]
A cursory look on Shodan, shows a little over a million unpatched Exim (4.92) servers online, most of them being in the United States, followed by Germany and Russia.
Click to expand...

Hermano Queiroz · Jun 2, 2020

However, if you are running a version of Exim 4.92 or higher, you should be safe from the exploit, but all prior versions of the software need an immediate fix. The simplest fix for the vulnerability is to update the Exim mail server to the current version of Exim which is 4.93

reasonablePrivacy · May 5, 2021

21Nails vulnerabilities impact 60% of the internet’s email servers

The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors.

Known as 21Nails, the vulnerabilities were discovered by security firm Qualys.

The bugs impact Exim, a type of email server known as a mail transfer agent (MTA) that helps email traffic travel across the internet and reach its intended destinations.

While there are different MTA clients available, an April 2021 survey shows that Exim has a market share of nearly 60% among all MTA solutions, being widely adopted around the internet.
Click to expand...

Log in or Sign up

Vulnerability Affects Half of the Internet's Email Servers

Minimalist Registered Member

JoWazzoo Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Hermano Queiroz Registered Member

reasonablePrivacy Registered Member

Log in or Sign up

Vulnerability Affects Half of the Internet's Email Servers

Minimalist Registered Member

JoWazzoo Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Hermano Queiroz Registered Member

reasonablePrivacy Registered Member

Useful Searches