Advisory: Exim mail server vulnerabilities

6 Oct 2019 02:42 PM

Hundreds of UK organisations at risk of compromise due to Exim mail server vulnerabilities

In June 2019, the NCSC was made aware of several crypto-jacking/crypto-mining campaigns targeting Exim devices. The actors exploited the CVE-2019-10149 vulnerability to compromise devices globally allowing an attacker to execute code remotely on the server. Following this, in September 2019 another two critical vulnerabilities were identified, CVE-2019-15846 and CVE-2019-16928 which also allowed remote code execution on a compromised device.

Analysis conducted by the NCSC and industry highlighted that there are over 174,000 devices within the UK which are still vulnerable to compromise.

Details

NCSC and industry analysis has identified over 174,000 Exim servers located within the UK which are still vulnerable to compromise. Servers which are running Exim versions 4.87 - 4.92.2 are affected.

CVE-2019-10149

As of June 2019, Exim servers running versions 4.87 – 4.91 were exploitable through this remote command execution vulnerability. As of 23 August 2019, a Metasploit module was made available that offered a package for exploiting CVE-2019-10149 vulnerable Exim servers with relative ease. Successful compromise of one of these servers can lead to execution of commands as root.

CVE-2019-15846

Exim servers which accept TLS connections are at risk. The CVE-2019-15846 vulnerability allows an attacker to send a malicious Server Name Indication (SNI) during a TLS transfer. This causes a buffer overflow and allows for malicious code injection. This code is then executed as root.

CVE-2019-16928

Exim servers running versions 4.92 to 4.92.2 are exploitable through this heap-based overflow vulnerability which can allow actors to either crash servers or execute remote code on them.

Conclusion

Due to the number of Exim devices in the UK that are currently not updated to version 4.92.3, it is likely that many organisations are not proactively keeping up to date with the latest patches ensuring their infrastructure is protected from attack.

Although these vulnerabilities have primarily been exploited to carry out crypto-currency mining, it is likely that they could be used for further exploitation of and lateral movement within, enterprise networks. The NCSC recommends that organisations update Exim to software version 4.92.3 as soon as possible.

Mitigation

Update Exim to a fixed version as soon as you can. Due to the high impact and exploitability of these vulnerabilities, it is imperative you update any vulnerable instances of Exim you have. In general, updated applications have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC guidance.

Prevent and detect lateral movement in your organisation’s networks. See NCSC guidance.

Downloads: Advisory: Exim mail server vulnerabilities