Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Email Servers: Exim Flaw Leaves Millions at Risk of Hacking

Remotely Executable Flaw Could be Exploited by BEC and Ransomware Attackers
Email Servers: Exim Flaw Leaves Millions at Risk of Hacking
Exposed Exim servers affected by the vulnerability (Source: Censys)

Security experts are urging Linux and Unix administrators to immediately patch Exim, one of the world's most-used message transfer agents.

See Also: OnDemand I Remediate the Most Exploitable Vulnerabilities First and Fast

It’s the second time in the last three months that a remotely executable flaw has been revealed in Exim, which ships with many Linux distributions. Mail transfer agents, or MTAs, operate in the background but remain critical for transferring email.

Numerous systems appear to be at risk. An internet wide scan conducted by the Michigan-based security company Censys, for example, found that as many as 4.5 million systems across 2 million IP addresses have yet to be patched (see: Software Bugs: Gotta Catch 'Em All?).

The vulnerability exists in Exim versions 4.92.1 and earlier. The patched version, released Friday, is 4.92.2.

The vulnerability - designated CVE-2019-15846 - involves TLS connections created using server name indication, which allows a client to establish a secure connection to the right hostname when multiple hosts with multiple TLS certificates are using the same IP address.

By sending an SNI handshake ending in a backslash-null sequence, either a local or remote attacker can gain root access and execute a program with root privileges, Exim warns in a security advisory. A researcher known as “Zerons” is credited with reporting the flaw to Exim on July 21.

Organizations should consider the vulnerability to potentially have a high impact on their networks, especially for those that operate their own email service, says Art Sturdevant, a senior solutions engineer with Censys. That's because the flaw could be abused to steal data or execute social engineering shenanigans.

“It's worth mentioning that taking over an email server is sort of its own reward,” Sturdevant says. “Attackers would then have the ability to spoof email to/from the CEO to employees, or read private emails, etc.”

Likely Coming Soon: A Public Exploit

The Exim flaw is also the type of easily exploitable vulnerability in widely used software that malware-wielding attackers, including ransomware gangs, have never shied away from targeting.

“While we can’t confirm whether a PoC [proof-of-concept attack] has been made public, it’s likely that threat actors are working on developing their own as we speak,” says Ryan Seguin, a technical support engineer at Tenable, which specializes in vulnerability management. “Anyone with enough skill could craft an exploit script from publicly available information.”

If full-fledged attacks have yet to be seen, proof-of-concept exploit code has been circulating online, and as of last week, a rudimentary exploit - not yet public - was already making the rounds, according to post to an forum, which focuses on free and open-source software.

Exim is widely used. Indeed, most Linux distributions include a package for Exim, meaning every Linux system will need an updated package, says Steve Siadak, senior director of engineering at Censys. While there is a way to temporarily mitigate the flaw it isn't ideal, because it requires deactivating TLS, which means that unless an organization's email content was otherwise encrypted, it would be left as plaintext and could be easily intercepted.

Linux Systems Under Fire

The Exim vulnerability isn't the only threat to be facing Linux systems, which are also being targeted by Lilocked - aka Lilu - ransomware, which was first spotted in July, as Bleeping Computer reported.

Ransomware researcher Michael Gillespie, who investigates new strains of ransomware and helps victims identify them via his free ID Ransomware service, tweeted on July 21 that Lilocked appears to be targeting services, leaving encrypted files with a ".lilocked" extension.

How Lilocked infects systems remains unclear. But the prior Exim vulnerability revealed in June remains a likely culprit. Exim has patched that flaw, designated CVE-2019-10149, which was remotely exploitable, affected Exim versions 4.87 through 4.91 and was informally known as The Return of the WIZard.

According to the CVE write-up, the flaw involved improper validation of the recipient address in the deliver_message() function in /src/deliver.c, which could be abused to allow remote code execution.

Google’s search engine has revealed that at least 6,000 systems have been infected by Lilock, as it's indexed many of the publicly affected servers, says Chris Gerritz, co-founder of Texas-based cybersecurity firm Infocyte.

As with the previous Exim flaw, Gerritz warns that the latest vulnerability "can be leveraged by ransomware authors to push their malware to thousands of systems with minimal effort.”

Beyond Ransomware

Another risk: Attackers could use the flaw to leave a tough-to-spot backdoor in Exim, allowing for persistent access. "If the same vulnerability that Lilocked used is used by other malware or more silent backdoors, website administrators would be wise to check the integrity of their servers to ensure no recent changes have been made this month,” says Gerritz, who previously served as chief of defensive counter cyber operations for the U.S Air Force's computer emergency response team. “It won't all be ransomware.”

Sturdevant at Censys also warns that attackers could leverage access to the MTA for deeper access to an organization. “They could steal certificates and impersonate victims to run convincing phishing campaigns and if the server shares services, like databases or files stores, they could be encrypted or copied under threat of release - sort of a reverse ransomware,” he says.

In addition, if the email service is hosted in the cloud, attackers might be able to use the vulnerability to gain access to an organization’s data within Amazon Web Service or Google’s Cloud Platform, he says.

Executive Editor Mathew Schwartz contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.