Email Servers: Exim Flaw Leaves Millions at Risk of HackingRemotely Executable Flaw Could be Exploited by BEC and Ransomware Attackers
Security experts are urging Linux and Unix administrators to immediately patch Exim, one of the world's most-used message transfer agents.
It’s the second time in the last three months that a remotely executable flaw has been revealed in Exim, which ships with many Linux distributions. Mail transfer agents, or MTAs, operate in the background but remain critical for transferring email.
Numerous systems appear to be at risk. An internet wide scan conducted by the Michigan-based security company Censys, for example, found that as many as 4.5 million systems across 2 million IP addresses have yet to be patched (see: Software Bugs: Gotta Catch 'Em All?).
The vulnerability exists in Exim versions 4.92.1 and earlier. The patched version, released Friday, is 4.92.2.
The vulnerability - designated CVE-2019-15846 - involves TLS connections created using server name indication, which allows a client to establish a secure connection to the right hostname when multiple hosts with multiple TLS certificates are using the same IP address.
By sending an SNI handshake ending in a backslash-null sequence, either a local or remote attacker can gain root access and execute a program with root privileges, Exim warns in a security advisory. A researcher known as “Zerons” is credited with reporting the flaw to Exim on July 21.
Organizations should consider the vulnerability to potentially have a high impact on their networks, especially for those that operate their own email service, says Art Sturdevant, a senior solutions engineer with Censys. That's because the flaw could be abused to steal data or execute social engineering shenanigans.
“It's worth mentioning that taking over an email server is sort of its own reward,” Sturdevant says. “Attackers would then have the ability to spoof email to/from the CEO to employees, or read private emails, etc.”
Likely Coming Soon: A Public Exploit
The Exim flaw is also the type of easily exploitable vulnerability in widely used software that malware-wielding attackers, including ransomware gangs, have never shied away from targeting.
“While we can’t confirm whether a PoC [proof-of-concept attack] has been made public, it’s likely that threat actors are working on developing their own as we speak,” says Ryan Seguin, a technical support engineer at Tenable, which specializes in vulnerability management. “Anyone with enough skill could craft an exploit script from publicly available information.”
If full-fledged attacks have yet to be seen, proof-of-concept exploit code has been circulating online, and as of last week, a rudimentary exploit - not yet public - was already making the rounds, according to post to an Openwall.com forum, which focuses on free and open-source software.
Exim is widely used. Indeed, most Linux distributions include a package for Exim, meaning every Linux system will need an updated package, says Steve Siadak, senior director of engineering at Censys. While there is a way to temporarily mitigate the flaw it isn't ideal, because it requires deactivating TLS, which means that unless an organization's email content was otherwise encrypted, it would be left as plaintext and could be easily intercepted.
Linux Systems Under Fire
The Exim vulnerability isn't the only threat to be facing Linux systems, which are also being targeted by Lilocked - aka Lilu - ransomware, which was first spotted in July, as Bleeping Computer reported.
Ransomware researcher Michael Gillespie, who investigates new strains of ransomware and helps victims identify them via his free ID Ransomware service, tweeted on July 21 that Lilocked appears to be targeting services, leaving encrypted files with a ".lilocked" extension.
How Lilocked infects systems remains unclear. But the prior Exim vulnerability revealed in June remains a likely culprit. Exim has patched that flaw, designated CVE-2019-10149, which was remotely exploitable, affected Exim versions 4.87 through 4.91 and was informally known as The Return of the WIZard.
According to the CVE write-up, the flaw involved improper validation of the recipient address in the deliver_message() function in /src/deliver.c, which could be abused to allow remote code execution.
Google’s search engine has revealed that at least 6,000 systems have been infected by Lilock, as it's indexed many of the publicly affected servers, says Chris Gerritz, co-founder of Texas-based cybersecurity firm Infocyte.
As with the previous Exim flaw, Gerritz warns that the latest vulnerability "can be leveraged by ransomware authors to push their malware to thousands of systems with minimal effort.”
Another risk: Attackers could use the flaw to leave a tough-to-spot backdoor in Exim, allowing for persistent access. "If the same vulnerability that Lilocked used is used by other malware or more silent backdoors, website administrators would be wise to check the integrity of their servers to ensure no recent changes have been made this month,” says Gerritz, who previously served as chief of defensive counter cyber operations for the U.S Air Force's computer emergency response team. “It won't all be ransomware.”
Sturdevant at Censys also warns that attackers could leverage access to the MTA for deeper access to an organization. “They could steal certificates and impersonate victims to run convincing phishing campaigns and if the server shares services, like databases or files stores, they could be encrypted or copied under threat of release - sort of a reverse ransomware,” he says.
In addition, if the email service is hosted in the cloud, attackers might be able to use the vulnerability to gain access to an organization’s data within Amazon Web Service or Google’s Cloud Platform, he says.
Executive Editor Mathew Schwartz contributed to this report.