Thousands of Exim Servers Vulnerable to Critical Flaw: ReportRiskIQ Researchers Warn of Two Other Exim Email Server Bugs
Thousands of unpatched Exim email servers are potentially vulnerable to a critical flaw that the U.S. National Security Agency says Russian-backed hackers are attempting to exploit, according to the security firm RiskIQ.
RiskIQ also warns of two other vulnerabilities in Exim email servers that also should be patched to guard against nation-state and other attacks.
On May 28, the NSA issued a warning that a Russian-backed hacking group called Sandworm has been targeting Exim, a commonly used mail transfer agent found in Unix operating systems, since 2019. The hackers have been attempting to exploit an email receipt vulnerability in Exim version 4.87 to 4.91, tracked as CVE-2019-10149, which could allow for remote code execution within the victim's web server, according to the NSA alert (see: NSA: Russian Hackers Targeting Vulnerable Email Servers). In its alert, the NSA said the Sandworm hackers could exploit the the vulnerability to install programs, modify data and create new accounts.
Security experts say such an exploit could pave the way to hackers reading stored emails within a vulnerable network and using servers to launch other attacks.
When RiskIQ analysts did a scan of open internet ports in early May - before the NSA announcement - they found over 900,000 Exim web servers running older versions of the software that were vulnerable to either the CVE-2019-10149 bug or the other two vulnerabilities in the software, according to the report. A minority were vulnerable to the bug NSA highlighted.
And while the number of vulnerable Exim web servers has likely dropped since RiskIQ did its scans last month, there is still likely a significant number that require patching, says Steve Ginty, head of threat intelligence at RiskIQ.
Ginty notes that the majority of the vulnerable servers were running version 4.92 of the software, and users need to upgrade to version 4.93 to ensure all the flaws are patched. He declined to discuss if any customers had reported suspicious or unusual behavior with their networks tied to the Exim vulnerabilities.
Exim released a patch in June 2019 to fix the CVE-2019-10149 vulnerability highlighted by the NSA. It released patches for the other two vulnerabilities in September 2019.
All three vulnerabilities could be leveraged by the same Russian hacking group, according to the RiskIQ report, although the NSA only focused on the CVE-2019-10149 flaw.
The other two remote code vulnerabilities in Exim web servers are:
- CVE-2019-15846: If exploited, this vulnerability, which affects Exim versions up to and including version 4.92.1, enables attackers to run programs on a system with full root privileges.
- CVE-2019-16928: Detected on Exim versions 4.92 to 4.92.2, this flaw, if exploited, enables attackers to perform denial-of-service or remote code execution attacks.
While patching remains the key mitigation step, Ginty says that network visibility is also important. "If you can't upgrade immediately, having visibility into your environment - so you know where to monitor more closely - is the best thing for these kind of activities, but it is not the recommended solution," he says.
Managing Editor Scott Ferguson contributed to this report.