Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Michael Stair, Lead Member of Technical Staff, AT&T, Matt Keyser, Principal Member of Technical Staff, and Manny Ortiz, Director Technology Security, AT&T.
Michael: A flaw in Exim is leaving millions of Linux servers vulnerable.
Matt: Hey, Mike. I heard there was a pretty serious flaw affecting Exim email servers. What can you tell us about it?
Michael: Yes, attackers are exploiting a pretty critical flaw in the popular Linux Exim mail transport agents, MTA, allowing for remote command execution. Exim is an SMTP mail relay. It's pretty popular, and runs a large percentage of internet mail servers. It's the default MTA on some Linux systems. From a recent Shodan scan, it could affect up to three-and-a-half million vulnerable servers.
The bug itself was tracked it down to improper validation in some of the recipient addresses. One of the functions was given a 9.8 out of 10 on the CVSS v3 scale. It affects versions 4.87 to 4.98, but I think the latest version 4.92 is unaffected.
Matt: So it's a big bug. And it is a remote code execution (RCE) bug, which is one of the most critical types you could possibly have.
Michael: They do have patches out. They're porting patches to all versions, back to 4.87, if you're using an older version. So just make sure you're patching and making sure you're up to date with the most recent version because it's a pretty serious issue.
Matt: It sounds like it's something you could just address the email to somebody and you just drop an exploit in there and it's remote code execution?
Michael: Yeah, it seems like it's pretty simple to exploit. And there’s actually worm that's exploiting this and finding new systems.
Manny: From what I understand, you can actually put a command that eventually the server will run, but from what I understand, the server may take seven days before it actually activates the exploit. It appears there's some sort of timeout that happens after seven days when the email is determined to have an invalid mail address, and then the server runs the actual command.
Matt: But that means I could hand-type the exploit code. Is that roughly correct or is it something you'd have to craft or a little more difficult to do?
Manny: Right. The example I saw was just a simple command where it went and did a get to an actual external IP address.
Matt: So you're getting a shell.
Manny: Yes. Or you can have the box basically go run some code offline or off net, so it basically gives you an open command line to run whatever you want on the box.
Matt: So it's totally possible that your box has been exploited and you won't know for seven days?
Matt: That's a scary thought, right?
Manny: The sky is the limit when it comes to a bad actor that wants to take advantage of this vulnerability. They can come up with anything they want to. If they want to mine cryptocurrency, they can. If they want to set the server up to do DDoS attacks, they can. I think, Mike, you said that there is a patch for it, right?
Michael: Yes. They patched every vulnerable version. They're recommending that everybody go out and install that patch. I also saw Microsoft issued a couple other advisories themselves, specifically for Azure because they're seeing this activity and they're recommending if you have an Azure-based workload running the affected version, that you should patch those.
Matt: All right.
Manny: It was an interesting one. If you're a server admin, I'm assuming there's a way for you to do a lookup. I didn't look at the actual crafting of the recipient address, but I'm assuming there's some way for you to do a search through your mail server to figure out whether you've got one of these things sitting in state.
Matt: Right, somewhere in the queue, it's still trying to validate the recipient.
Matt: Yeah, I wonder.
Manny: There's got to be some way. If there isn't today, I'm sure somebody's going to develop a way to run that search across your mail server to figure this out.
Matt: You don't want to reboot your mail servers. No one really wants to have to shut everything down and patch, because they want to maintain their uptime metrics. Maybe there's a temporary fix or some sort of response you can do in the meantime until you can schedule that maintenance window.
Matt: With the amount of email that's being sent on the internet any given day, nothing prevents people from trying over and over again until it happens. So either you catch all of it successfully or you don't, but really, the best thing to do at this point is still to patch.