Sysadmins Scramble to Secure 5M Exim Email Servers
A really-simple-to-exploit vulnerability in Exim needs patching on about 5 million internet-facing servers. If sysadmins don’t patch—and patch fast—they can expect their boxes to be quickly owned.
At its heart, the bug is a failure to correctly escape a special character in the TLS Server Name Indication (SNI). A simple pair of bytes in the SNI allows root access to the server.
The potential consequences are truly frightening. In today’s SB Blogwatch, we �.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: unintended consequences.
Escape FAIL
What’s the craic? Catalin Cimpanu—“Millions of Exim servers vulnerable to root-granting exploit”:
All Exim servers running version 4.92.1 and before are vulnerable. … Version 4.92.2 was released on Friday … to address the issue.
…
Exim is a mail transfer agent (MTA), which is software that runs in the background of email servers. … Exim is the most prevalent MTA today, with a [installed base] of over 57%. … Its success can be attributed to the fact that it’s been bundled with a slew of Linux distros, from Debian to Red Hat.
…
This is the second major Exim vulnerability patched this summer. In June, the Exim team patched … a vulnerability known as “Return of the WIZard,” which also granted attackers the ability to run malicious code with root privileges.
…
Security experts fully expect that this latest Exim security flaw will also come under active exploitation. … Crafting an exploit is relatively trivial.
‘Relatively trivial’? Yeah, you could say that. Shaun Nichols explains—“Exim marks the spot”:
The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer vulnerable installations, steal or tamper with data, install spyware, and so on.
…
[It’s] used in a great many Unix and Linux systems – we’re talking at the very least millions of public-facing servers – to send and receive email. … We’re told that the remote-code execution flaw was accidentally introduced to the code when a project contributor tried to fix an earlier vulnerability.
Yes, but what’s the vuln? Exim’s anonymous gnomes log the issue—“CVE-2019-15846”:
The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC. … If your Exim server accepts TLS connections, it is vulnerable.
…
Mitigation: Do not offer TLS. (This mitigation is not recommended.)
You don’t say? The Qualys Security Advisory team evaluate the bug:
As long as Exim supports and accepts TLS connections, an attacker can send an SNI, and hence reach the problematic string_unprinting() and string_interpret_escape() functions.
…
Is it possible to send an sni that is written to the spool header file and that ends with the problematic backslash-null-byte sequence? The answer is yes, because of what we believe is another bug, in string_printing(): the sni is written to the spool header file via string_printing(tls_in.sni), which escapes characters with backslash, but does not escape the escaping character itself (backslash), although it definitely should.
…
This bug is what makes it possible to reach and trigger the bug in string_unprinting() and string_interpret_escape(), with an sni that ends in an unescaped backslash (followed by the terminating null byte). [But] is this exploitable? The answer is, almost certainly, yes (and, because spool_read_header() runs as root, this means remote root).
Wait, what? nineteen999 counts the ways:
Why is exim running as root at that point? At least that is the question in my mind. Once it has bound to the port it should setuid() or seteuid() to a less privileged UID, unless I’m mistaken. Granted, there will still be the possibility of remote code execution as a non-root user, but at least you’re not handing an attacker root privileges by default.
…
The deliver program should be a seperate process … with some sort of privilege separation scheme perhaps. … Maybe the Exim people don’t feel like its worthwhile to rearchitect it, given that there are MTA’s with more secure designs/implementations out there already.
…
I don’t remember the last remote root exploit discovered for Postfix, or even if there ever was one.
Certain distributions might share the blame, according to Sergiu Gatlan—“Critical Exim TLS Flaw”:
While the default configuration file supplied by Exim’s team does not have TLS enabled by default … some Linux distros distribute Exim with it enabled. … The Shodan search engine for Internet-connected devices estimates the number of servers at roughly 5,250,000 … being visible on the internet and accepting connections.
…
The only question is not if hackers will start scanning for and attacking unpatched Exim servers but when. Most probably, a new series of attacks will start just as soon as an exploit is available.
And rurban shares the blame around:
People usually don’t choose it. It’s the usual hosting providers mail service of choice, because it’s so easy to configure for thousands of domains and users. Not just cPanel, almost everybody.
But everything’s OK now, right? userbinator reviewed the commits, and doesn’t like what they saw:
That code reminds me of FizzBuzz and the huge gap in competence it demonstrates—i.e., a surprisingly large number of “programmers” fail to write correct solutions to the simplest of problems. Perhaps “unescape a string” needs to be an interview question with as much attention as FizzBuzz, both because it has a practical application and can show a lot about someone’s skill.
…
Parsing text is really not an uncommon thing to do in a lot of applications.
Meanwhile, Boris Pixel—@PxlPhile—sounds slightly sarcastic:
Man, I do am glad I run this old windows IIS instance so this is no concern.
And Finally:
Beware of unintended consequences
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Ervins Strauhmanis (cc:by)
