Exim Flaw Puts Hundreds of Thousands of Email Servers at Risk

A serious vulnerability in the widely used Exim software could expose hundreds of thousands of email servers to hacking if left unpatched, researchers warn.

The flaw, tracked as CVE-2018-6789, was fixed in Exim version 4.90.1 released Feb. 10, but detailed technical information about the vulnerability was published this week, increasing the chance of in-the-wild exploitation.

Exim is developed at the University of Cambridge and is the default email server daemon in several Linux distributions. It is also commonly used with popular software packages such as the Mailman mailing list manager and the cPanel web server administration software.

According to a recent report, Exim is used on more than 550,000 email servers that are accessible from the internet, or around 57 percent of the total.

The flaw is a buffer overflow in Exim’s base64 decode function and can be exploited remotely without authentication to execute arbitrary code on servers, according to Meh Chang, a researcher with security firm DEVCORE who found the vulnerability.

“This bug exists since the first commit of exim, hence ALL versions are affected,” Chang said in a blog post. “According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk.”

In a security advisory in February, the Exim maintainers said they believed an exploit to be difficult, but this was before details about the flaw were made public. There is no known mitigation, they warned at the time, so updating the software is the only solution.

No proof-of-concept exploit has been released yet, but Chang’s blog post contains detailed information about the flaw and how to take advantage of it. So, if history is any indication, a public exploit will likely appear soon.

The major Linux distributions have already released updated Exim packages, but when it comes to production server software, patch adoption is usually slow. If you have email servers running Exim that you haven’t yet updated, do so as soon as possible.

NSA Checks Hacked Systems for Signs of Other State-Sponsored Spies

An analysis of the NSA tools leaked last year by a group known as the Shadow Brokers revealed that the agency’s hackers have built detection scripts for malware used by foreign advanced persistent threat (APT) actors.

These detection scripts are deployed on systems that the agency’s hackers compromise themselves and are used to determine if and how to proceed with the operations, news website The Intercept reported.

According to the site, researchers from the Laboratory of Cryptography and System Security (CrySyS Lab) and security firm Ukatemi in Hungary have spent the last year analyzing the indicators of compromise used by the NSA scripts and tied them to suspected state-sponsored hacker groups.

They succeeded to match NSA’s detection signatures—which are only named as Sig1, Sig2, Sig3 etc.—to malware used by Turla, a Russian-speaking group; Animal Farm, a French-speaking group; Flame, a suspected Israeli group; Aurora, a Chinese group; Dark Hotel, a group believed to be from South Korea; and several others. In the case of Dark Hotel, data suggests the NSA had knowledge of the threat long before the security industry discovered it in 2014.

Some of the signatures are also for malware tools developed by the NSA itself or by its allies. This is clear from instructions for what operators should do in case some detection signatures are triggered. One such instruction is: “FRIENDLY TOOL – SEE HELP ASAP”. Others include “UNKNOWN – PLEASE PULL BACK” or “DANGEROUS MALWARE – SEEK HELP ASAP.”

The value of knowing that a foreign cyberespionage group is already in control of a targeted system is twofold: It indicates that the system has valuable information, but also serves as a warning to proceed with caution to avoid exposing NSA’s cyber operations or tools.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin