Exim Vulnerability Exploited In the Wild a Week After Discovery

Marina Kidron Jun 18, 2019

An Exim vulnerability has been exploited in the wild. The vulnerability (CVE-2019-10149) has been exploited by a worm just one week after the flaw in the popular Linux-based mail transfer agent (MTA) was published. Microsoft’s Azure is among the products affected by the worm. Although the tech giant has been quick to assert that the Azure infrastructure, “has controls in place to help limit the spread of the worm,” customers could still be infected.

  • What does the Exim Vulnerability Do?

Exim is an MTA – this is software that relays emails between senders and recipients. This means that it is most commonly exposed to the public network, allowing attackers to take full advantage of the vulnerability. The Exim vulnerability allows attackers to remotely execute code, enabling them to take control of unpatched systems. Being a worm, the exploit doesn’t require user interaction, making it clear why the vulnerability has been rated as ‘critical’.

Azure is far from the only affected server. According to Shodan, there are over 3.5 million vulnerable servers worldwide, meaning millions of “sittings ducks” until patches are deployed.

  • What Should Skybox Customers Do?

If you know that this vulnerability exists within your environment and you haven’t already applied the patch, you should make it a top priority. You can either update the Exim server version directly or apply the relevant Linux patch: ALAS-2019-122, DSA-4456-1, GLSA-201906-01 or USN-4010-1.

Skybox’s Vulnerability Detector for Linux (using RedHat Satellite or other CMDBs) can help to detect which servers are running the vulnerable version of Exim. This, combined with Skybox’s visibility of where devices sit in your network, will give you a firm understanding about which servers are directly exposed so that you’re able to prioritize patching accordingly.

There is some good news if you’re running Red Hat Enterprise Linux 5: the company has marked it as  being unaffected. This won’t be the case in a lot of other instances; it’s critical that you err on the side of caution and act with vigilance if you want to ensure that your organization remains safe.

Related posts

BlueKeep Wormable Vulnerability Brings Back WannaCry Memories – Another wormable vulnerability that you should be keeping a firm eye on: learn about the impact that BlueKeep could have.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More