Scores of vulnerable Exim servers on Australian networks

Australian networks continue to host tens of thousands of unpatched Exim installations, despite the mail servers being under active attacks worldwide currently.

Security vendor Qualys warned last week that the popular open source mail server contained a remote command execution flaw introduced with Exim version 4.87 that put millions of installations worldwide at risk.

".... an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved," Qualys said in its advisory.

Today, security researcher Amit Serper warned that an attack, possibly by an automated worm, is underway that exploits the vulnerability to gain permanent root access via secure shell (SSH) on Exim servers.

1/n IMPORTANT, THREAD: Someone is actively exploiting vulnerable exim servers. The attackers are using that exim vuln to gain permanent root access via ssh to those exploited servers by using a script that's uploaded to that server through that exploit.

— Amit Serper (@0xAmit) June 13, 2019

The flaw was patched in Exim 4.92 that was released in February this year.

Despite a fixed version being available, a Shodan.io scan by iTnews found almost 45,000 Exim 4.87-4.91 installations on Australian networks, with 30,924 hosts running Exim 4.92.

New Zealand networks likewise contain thousands of Exim installations reporting version numbers below 4.92 in Shodan scans.

Worldwide, over 4.1 million Exim installations run the vulnerable version of the mail server.

The critical Exim bug (CVE-2019-10149) is rated as 9.8 out of 10 on the common vulnerability scoring system 3.0, with a low attack complexity.