바로가기

Security Alert



Alert – New Exim Mail Transfer Agent Vulnerability 2020-06-15

Background:
Exim is a mail transfer agent (MTA) used on Unix-based operating systems and comes pre-installed on some Linux distributions such as Debian. Exim aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail and is widely used with cPanel. A critical vulnerability in Exim was exploited since at least August 2019. On 5 June 2019, an for the critical vulnerability (CVE-2019- 10149) in Exim was released. The remote code execution vulnerability was introduced in Exim version 4.87. An unauthenticated remote attacker can send a specially crafted email to execute command with root privileges allowing the attacker to install programs, modify data, and create new accounts.

Specification of the vulnerability (remote code execution):
The remote code execution vulnerability in Exim is exploited when the attacker uses the Exim software on their public facing mail transfer agent by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.
When CVE-2019-10149 is successfully exploited, the attacker is able to execute code of their choosing. For example, the victim machine can download and execute a shell from a controlled domain and which will attempt to do the following:
 Add privileged users
 Disable network security settings
 Update SSH configurations to enable additional remote access
 Execute an additional to enable follow-on exploitation

Solution (Recommendations):

Rw-CSIRT is strongly recommending users to:
Update their software installations to the latest versions by following the instructions below. The latest product versions are available to end users via one of the following methods:
 Users can their product installations manually by choosing Help > Check for Updates.
 The products will automatically, without requiring user intervention, when s are detected and users are reminded to always restart their devices to apply the s. All internet users are also reminded the following:
 They should not read / reply to emails from unknown senders and should avoid clicking on links contained in those messages.
 They should not download and open attachments sent by an unknown mail sender.
 They should always verify well the sender email address and email subject, and if they suspect it’s a phishing bait, they should immediately inform the IT team.

For System administrators (managed environments):
Rw-CSIRT recommends the following best practices to help safeguard networks against this threat:
 Apply Exim s immediately by installing version 4.93 or newer. System administrators should continually check software versions and as new versions become available.
 Review network security devices protecting Exim mail servers both for identifying prior exploitation and for ensuring network-based protection for any unpatched Exim servers.
 Apply least access models and defense-in-depth security strategies. Make sure the mail transfer agents are isolated from sensitive internal resources in a demilitarized zone (DMZ) territory.
 MTAs should only be allowed to send outbound traffic to necessary ports (e.g. 25, 465, 587), and unnecessary destination ports should be blocked.

Affected users should: contact RW-CSIRT: Call 4045 or write to security@risa.gov.rw

References or Vulnerability Details:
https://www.us-cert.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actorsexploiting-exim
https://media.defense.gov/2020/May/28/2002306626/-1/-
1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agen t%2020200528.pdf%20Somebackground%20on%20Sandworm
https://www.exim.org/static/doc/security/CVE-2019-10149.txt
- Previous Alert – New Variant of Ransomware called Tycoon Targets Education and Software Sectors
- Next
list