National Cyber Security Centre
Advisory: Exim mail server vulnerabilities
Hundreds of UK organisations at risk of compromise due to Exim mail server vulnerabilities
In June 2019, the NCSC was made aware of several crypto-jacking/crypto-mining campaigns targeting Exim devices. The actors exploited the CVE-2019-10149 vulnerability to compromise devices globally allowing an attacker to execute code remotely on the server. Following this, in September 2019 another two critical vulnerabilities were identified, CVE-2019-15846 and CVE-2019-16928 which also allowed remote code execution on a compromised device.
Analysis conducted by the NCSC and industry highlighted that there are over 174,000 devices within the UK which are still vulnerable to compromise.
NCSC and industry analysis has identified over 174,000 Exim servers located within the UK which are still vulnerable to compromise. Servers which are running Exim versions 4.87 - 4.92.2 are affected.
As of June 2019, Exim servers running versions 4.87 – 4.91 were exploitable through this remote command execution vulnerability. As of 23 August 2019, a Metasploit module was made available that offered a package for exploiting CVE-2019-10149 vulnerable Exim servers with relative ease. Successful compromise of one of these servers can lead to execution of commands as root.
Exim servers which accept TLS connections are at risk. The CVE-2019-15846 vulnerability allows an attacker to send a malicious Server Name Indication (SNI) during a TLS transfer. This causes a buffer overflow and allows for malicious code injection. This code is then executed as root.
Exim servers running versions 4.92 to 4.92.2 are exploitable through this heap-based overflow vulnerability which can allow actors to either crash servers or execute remote code on them.
Due to the number of Exim devices in the UK that are currently not updated to version 4.92.3, it is likely that many organisations are not proactively keeping up to date with the latest patches ensuring their infrastructure is protected from attack.
Although these vulnerabilities have primarily been exploited to carry out crypto-currency mining, it is likely that they could be used for further exploitation of and lateral movement within, enterprise networks. The NCSC recommends that organisations update Exim to software version 4.92.3 as soon as possible.
Update Exim to a fixed version as soon as you can. Due to the high impact and exploitability of these vulnerabilities, it is imperative you update any vulnerable instances of Exim you have. In general, updated applications have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC guidance.
Latest News from
National Cyber Security Centre
Surge in female applicants for cyber security courses08/10/2019 15:51:00
The NCSC has revealed new figures highlighting an increase in the amount of girls applying for cyber security courses.
UK and Singapore sign IoT security pledge04/10/2019 11:15:00
Ciaran Martin explains why he is so pleased to have signed an agreement to strengthen the partnership between the UK and Singapore on the security of internet-connected devices.
Vulnerabilities exploited in VPN products used worldwide03/10/2019 16:15:00
APTs are exploiting vulnerabilities in several VPN products used worldwide.
First threat assessment for universities produced by the NCSC19/09/2019 09:15:00
The NCSC has published a threat assessment aimed at supporting universities.
Declassified: cyber security recruitment fair takes to the road16/09/2019 08:20:00
CyberFirst bursary students shown the varied career opportunities within the cyber security community.
NCSC advice to organisations to mitigate against DoS attacks09/09/2019 16:15:00
A suspected Denial of Service (DoS) attack resulted in Wikipedia experiencing intermittent outages in the early hours of Saturday September 7.
NCSC CEO receives international award for cyber security leadership09/09/2019 12:15:00
Ciaran Martin has received an award for leadership at a major summit in the United States.
Advice for users of Huawei enterprise equipment14/08/2019 13:05:00
This guide explains implications of US action against Huawei, its US suppliers and affiliates.