Developers of the widely used Exim message transfer agent are advising administrators to disable a feature on their email servers to protect them from a critical remote execution exploit that has been publicly disclosed.
Developed at the University of Cambridge, Exim is the default email server daemon in some Linux distributions and is also commonly used with other popular software packages including Mailman or cPanel. According to a March study, Exim accounted for more than half of all publicly accessible email servers on the internet, powering more than 550,000 servers.
The flaw, tracked as CVE-2017-16943, is a use-after-free memory issue that can allow remote attackers to execute arbitrary code on affected servers. It affects the ESMTP CHUNKING extension, which was added in Exim 4.88, released December 2016.
The vulnerability will be fixed, along with a separate denial-of-service issue, in the upcoming Exim 4.90, which is currently in release candidate stage. However, until that version is released, email server administrators are advised to disable the chunking feature by adding “chunking_advertise_hosts =” followed by an empty value in their Exim configurations.
“This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic,” Exim maintainer Phil Pennock said in an announcement on the Exim mailing list Saturday. “This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT.”
A patch has also been committed to the code repository and is available for package maintainers, some of which have already integrated it into their Exim packages shipped with major Linux distributions. The Exim developers haven’t yet had time to push out a new version themselves; the flaw was reported to the project’s public bug tracker on Thanksgiving Day and came with a proof-of-concept exploit.
Since the vulnerability and exploit are public, attackers are likely to try to use them to compromise servers. Therefore, applying the workaround or obtaining an updated package from your distribution is urgent.
New Mirai IoT Botnet Variant Leverages Recent Exploit
Researchers from Qihoo 360 Netlab have spotted a new variant of the Mirai worm that enslaves routers and other network devices by authenticating with default credentials.
Mirai was once the largest IoT botnet on the internet and was used to launch some of the biggest distributed denial-of-service attacks ever recorded. Since its source code was released a year ago, various cybercriminals have used the malware to create competing botnets that are smaller.
The new version spotted by Qihoo attempts to connect to devices via Telnet on port 23 and 2323 and tries to log in with two new sets of credentials that haven’t been seen before in Mirai: admin/CentryL1nk and admin/QwestM0dem. This suggests that it targets devices deployed by U.S. telecommunications companies CenturyLink and Qwest, which merged with CenturyLink in 2011.
The admin/CentryL1nk credentials were disclosed last month in an exploit for the ZyXEL PK5001Z modem that also includes a hard-coded password for the root account.
It seems that this new Mirai variant has compromised a number of devices in Argentina; the Qihoo researchers detected scans from around 100,000 IP addresses in that country.
The incident highlights the ongoing problem of hard-coded credentials in embedded devices, especially in modems and routers supplied by ISPs to their customers. What’s worse is that many of these devices are configured for remote management by default so that ISPs can provide technical support and, in most cases, users don’t have administrative privileges to close this functionality.
Hard-coded credentials have been found over the years in many enterprise networking devices as well, and even in security appliances. It’s very important for companies to make sure these devices are not exposed directly to the internet, they have firewalls in front of them and that any remote administration is done over VPN.