More Than 4.5M Exim Instances Vulnerable to Remote Code Execution Attacks
One of the most popular email servers disclosed a severe security bug today that warrants investigation. Exim, a message transfer agent (MTA), works in the background of email services to transfer email messages from one computer to another. Readers may be more familiar with sendmail, another popular MTA, which works in the same way as Exim. Exim is used on more than half of the mail servers on the Internet, according to a recent survey.
The official advisory from Exim (CVE-2019-15846), notes that “all versions up to and including 4.92.1” are affected by this vulnerability. We searched our data to better understand the scope of this issue and found around 4.5M Exim instances, running on around 2M IPs, are affected. All of these instances would need to patched or take offline to fully mitigate this issue. We’ll walk through how we found those affected servers a bit further into this post.
ZDNet wrote an article about this issue, crediting the discovery of the vulnerability to a security researcher named Zerons back in July. The article also notes that Exim was hit with another vulnerability this past June, which required users to upgrade their servers to the latest version. The advice for this latest vulnerability is the same: Upgrade to the latest version of Exim. There’s an alternative solution at the end of this post, where we provide more mitigation details.
The CVE technical details are available here.
What’s the risk?
This particular vulnerability allows attackers to run malicious code with root privileges, effectively allowing them to exploit the vulnerability with remote code execution attacks. Since this level of access carries a massive risk and is likely to be exploited in short order, it was given a 9.8 out of 10 on the CVE critical rating scale.
Exim pointed out that a proof of concept of an attack does exist for this vulnerability, but won’t disclose details for obvious security reasons. For users, this means there’s quite a lot of urgency around mitigating the issue as soon as possible, as it’s just a matter of time before exploits are available and shared.
Searching Censys for affected servers
We searched the entire Internet to find all exposed Exim servers affected by this vulnerability. Specifically, we hunted for any servers running version 4.92.1 or earlier versions, which are affected by the CVE. Here’s the search within our web search UI:
How do I find if I have any affected servers?
You can do a manual search within our data to discover vulnerable Exim servers in use in your organization by adding your domain name to the global search, searching on your certificates, or organization name.
Appending your query with those searches will help you find hosts that you own and need to update. Some examples:
587.smtp.starttls.banner: exim OR 465.smtp.tls.banner: exim AND (587.smtp.starttls.tls.certificate.parsed.names: YOURDOMAIN OR 465.smtp.tls.tls.certificate.parsed.names: YOURDOMAIN)
587.smtp.starttls.banner: exim OR 465.smtp.tls.banner: exim AND (587.smtp.starttls.banner: exim OR 465.smtp.tls.banner: exim AND IP: X.X.X.X)
(587.smtp.starttls.banner: exim OR 465.smtp.tls.banner: exim) AND YOURCERTIFICATEHASH
The easier option would be to turn to our new SaaS platform, which will automatically find and alert you about vulnerabilities like this one within your attack surface. Sign up for a demo today to see how we can help!
What’s the fix?
The advice for this latest vulnerability is the same: Upgrade to the latest version of Exim. Readers are strongly encouraged to read the official Exim advisory for more mitigation information, but here are a few snippets.
There’s some discussion around an alternate fix, which is to disable the TLS, but it's not recommended
The advisory also notes:
"If you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix. (Please note, the Exim project officially doesn't support versions prior the current stable version.)"