An Exim vulnerability has been exploited in the wild. The vulnerability (CVE-2019-10149) has been exploited by a worm just one week after the flaw in the popular Linux-based mail transfer agent (MTA) was published. Microsoft’s Azure is among the products affected by the worm. Although the tech giant has been quick to assert that the Azure infrastructure, “has controls in place to help limit the spread of the worm,” customers could still be infected.
What does the Exim Vulnerability Do?
Exim is an MTA – this is software that relays emails between senders and recipients. This means that it is most commonly exposed to the public network, allowing attackers to take full advantage of the vulnerability. The Exim vulnerability allows attackers to remotely execute code, enabling them to take control of unpatched systems. Being a worm, the exploit doesn’t require user interaction, making it clear why the vulnerability has been rated as ‘critical’.
Azure is far from the only affected server. According to Shodan, there are over 3.5 million vulnerable servers worldwide, meaning millions of “sittings ducks” until patches are deployed.
What Should Skybox Customers Do?
If you know that this vulnerability exists within your environment and you haven’t already applied the patch, you should make it a top priority. You can either update the Exim server version directly or apply the relevant Linux patch: ALAS-2019-122, DSA-4456-1, GLSA-201906-01 or USN-4010-1.
Skybox’s Vulnerability Detector for Linux (using RedHat Satellite or other CMDBs) can help to detect which servers are running the vulnerable version of Exim. This, combined with Skybox’s visibility of where devices sit in your network, will give you a firm understanding about which servers are directly exposed so that you’re able to prioritize patching accordingly.
There is some good news if you’re running Red Hat Enterprise Linux 5: the company has marked it as being unaffected. This won’t be the case in a lot of other instances; it’s critical that you err on the side of caution and act with vigilance if you want to ensure that your organization remains safe.
BlueKeep Wormable Vulnerability Brings Back WannaCry Memories – Another wormable vulnerability that you should be keeping a firm eye on: learn about the impact that BlueKeep could have.