Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Thousands of Exim Servers Vulnerable to Critical Flaw: Report

RiskIQ Researchers Warn of Two Other Exim Email Server Bugs
Thousands of Exim Servers Vulnerable to Critical Flaw: Report

Thousands of unpatched Exim email servers are potentially vulnerable to a critical flaw that the U.S. National Security Agency says Russian-backed hackers are attempting to exploit, according to the security firm RiskIQ.

See Also: Russian Programs Threatening Critical Infrastructure

RiskIQ also warns of two other vulnerabilities in Exim email servers that also should be patched to guard against nation-state and other attacks.

On May 28, the NSA issued a warning that a Russian-backed hacking group called Sandworm has been targeting Exim, a commonly used mail transfer agent found in Unix operating systems, since 2019. The hackers have been attempting to exploit an email receipt vulnerability in Exim version 4.87 to 4.91, tracked as CVE-2019-10149, which could allow for remote code execution within the victim's web server, according to the NSA alert (see: NSA: Russian Hackers Targeting Vulnerable Email Servers). In its alert, the NSA said the Sandworm hackers could exploit the the vulnerability to install programs, modify data and create new accounts.

Security experts say such an exploit could pave the way to hackers reading stored emails within a vulnerable network and using servers to launch other attacks.

Vulnerable Servers

When RiskIQ analysts did a scan of open internet ports in early May - before the NSA announcement - they found over 900,000 Exim web servers running older versions of the software that were vulnerable to either the CVE-2019-10149 bug or the other two vulnerabilities in the software, according to the report. A minority were vulnerable to the bug NSA highlighted.

Exim email server versions found in a scan of open internet ports in early May. Those running versions 4.87 to 4.91 are vulnerable to a critical flaw highlighted by the NSA. (Source: RiskIQ)

And while the number of vulnerable Exim web servers has likely dropped since RiskIQ did its scans last month, there is still likely a significant number that require patching, says Steve Ginty, head of threat intelligence at RiskIQ.

Ginty notes that the majority of the vulnerable servers were running version 4.92 of the software, and users need to upgrade to version 4.93 to ensure all the flaws are patched. He declined to discuss if any customers had reported suspicious or unusual behavior with their networks tied to the Exim vulnerabilities.

Patches Issued

Exim released a patch in June 2019 to fix the CVE-2019-10149 vulnerability highlighted by the NSA. It released patches for the other two vulnerabilities in September 2019.

All three vulnerabilities could be leveraged by the same Russian hacking group, according to the RiskIQ report, although the NSA only focused on the CVE-2019-10149 flaw.

The other two remote code vulnerabilities in Exim web servers are:

  • CVE-2019-15846: If exploited, this vulnerability, which affects Exim versions up to and including version 4.92.1, enables attackers to run programs on a system with full root privileges.
  • CVE-2019-16928: Detected on Exim versions 4.92 to 4.92.2, this flaw, if exploited, enables attackers to perform denial-of-service or remote code execution attacks.

While patching remains the key mitigation step, Ginty says that network visibility is also important. "If you can't upgrade immediately, having visibility into your environment - so you know where to monitor more closely - is the best thing for these kind of activities, but it is not the recommended solution," he says.

Managing Editor Scott Ferguson contributed to this report.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.