National Cyber Security Centre
Advisory: Exim mail server vulnerabilities
Hundreds of UK organisations at risk of compromise due to Exim mail server vulnerabilities
In June 2019, the NCSC was made aware of several crypto-jacking/crypto-mining campaigns targeting Exim devices. The actors exploited the CVE-2019-10149 vulnerability to compromise devices globally allowing an attacker to execute code remotely on the server. Following this, in September 2019 another two critical vulnerabilities were identified, CVE-2019-15846 and CVE-2019-16928 which also allowed remote code execution on a compromised device.
Analysis conducted by the NCSC and industry highlighted that there are over 174,000 devices within the UK which are still vulnerable to compromise.
NCSC and industry analysis has identified over 174,000 Exim servers located within the UK which are still vulnerable to compromise. Servers which are running Exim versions 4.87 - 4.92.2 are affected.
As of June 2019, Exim servers running versions 4.87 – 4.91 were exploitable through this remote command execution vulnerability. As of 23 August 2019, a Metasploit module was made available that offered a package for exploiting CVE-2019-10149 vulnerable Exim servers with relative ease. Successful compromise of one of these servers can lead to execution of commands as root.
Exim servers which accept TLS connections are at risk. The CVE-2019-15846 vulnerability allows an attacker to send a malicious Server Name Indication (SNI) during a TLS transfer. This causes a buffer overflow and allows for malicious code injection. This code is then executed as root.
Exim servers running versions 4.92 to 4.92.2 are exploitable through this heap-based overflow vulnerability which can allow actors to either crash servers or execute remote code on them.
Due to the number of Exim devices in the UK that are currently not updated to version 4.92.3, it is likely that many organisations are not proactively keeping up to date with the latest patches ensuring their infrastructure is protected from attack.
Although these vulnerabilities have primarily been exploited to carry out crypto-currency mining, it is likely that they could be used for further exploitation of and lateral movement within, enterprise networks. The NCSC recommends that organisations update Exim to software version 4.92.3 as soon as possible.
Update Exim to a fixed version as soon as you can. Due to the high impact and exploitability of these vulnerabilities, it is imperative you update any vulnerable instances of Exim you have. In general, updated applications have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC guidance.
Latest News from
National Cyber Security Centre
Foreign Secretary condemns Russia's GRU after NCSC assessment of Georgian cyber attacks21/02/2020 16:15:00
The UK, Georgia and international partners have today exposed the GRU’s responsibility for a number of significant cyber attacks against Georgia last year.
UK condemns Russia's GRU over Georgia cyber-attacks21/02/2020 11:17:00
Foreign Secretary Dominic Raab calls out Russian campaign of unacceptable cyber-attacks against Georgia.
NCSC supports Northern Ireland’s push to strengthen cyber security capabilities19/02/2020 12:05:00
The Northern Ireland Cyber Security Centre is open and will work closely with the NCSC going forward.
Girlguiding take on cyber security challenges19/02/2020 10:15:00
The NCSC partners with Girlguiding South West England, as part of the drive to increase female representation in cyber security.
Advisory: Trickbot17/02/2020 10:10:00
How organisations can protect their networks from the ‘Trickbot’ banking trojan.
Schoolgirls across the UK show their cyber skills12/02/2020 16:15:00
Hundreds demonstrated their cyber security know-how during the co-ordinated series of competitions across the UK.
Development days open for CyberFirst Girls12/02/2020 10:43:00
Girls that entered the 2019 and 2020 CyberFirst Girls Competitions are now eligible to attend free Development Days across the UK.
CyberFirst Girls Competition – regional finals this Saturday07/02/2020 15:43:00
Across 18 UK venues, schoolgirls will be taking part in the Girls Competition semi-finals this weekend.