Linux Exim Mail Server Exploit
On June 5, vulnerability CVE-2019-10149, nicknamed, Return of the WIZard, was discovered. The current numbers suggest this vulnerability affects more than 3.5 million Linux Exim mail servers worldwide. Linux Exim servers account for almost 57% of the Internet’s email servers. This vulnerability is a considerable risk to businesses and organizations.
On June 9, reports came in about a wave of attacks on mail servers by one hacker group as they experimented with different approaches to gain access to the vulnerable mail servers. In general terms, hackers sent out a barrage of emails containing malicious code and servers with the vulnerability would then run the malicious code, allowing the hackers to take over the machine. The type of malicious code and the tactics used varied as they worked to gain access and leverage the vulnerable servers.
June 10, another hacker group working to exploit the Exim vulnerability was identified. One of their tactics is to send an email containing code that the Exim server will execute when the email is received. It will then download and run a shell script that adds an SSH key to the root account, opening access to the mail server. This group is also using a self-spreading worm that moves to other Exim servers and installing cryptocurrency miners for good measure.
Today, if you own an Exim server, you need to update to version 4.92 as soon as possible. If you’re using cPanel, they have released a patch for this exploit. Here is the step-by-step and version-specific details. If you have one of Vivio’s Fully Managed Website Hosting accounts, our DevOps team has them patched and up-to-date!
CVE-2019-10149 Detail. Retrieved on June 14, 2019 from https://nvd.nist.gov/vuln/detail/CVE-2019-10149
New Pervasive Worm Exploiting Linux Exim Server Vulnerability. (2019, June 13). Retrieved from https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
Cimpanu, Catalin. (2019, June 13). Exim email servers are now under attack. Retrieved from https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/
Vasquez, Benny. (2019, June 6). Exim CVE-2019-10149, how to protect yourself. Retrieved June 14, 2019 from https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself//