Exim, a mail transfer agent used on Unix-like operating systems, has announced that their email server package for Unix and Linux platforms is highly vulnerable to complete takeover.
The Australian Cyber Security Centre (ACSC) released a high alert for these vulnerabilities, but as yet they are not aware of the vulnerabilities being actively exploited “in the wild” against production platforms. However, the Qualys website has published evidence that they have successfully exploited 4 LPEs (Local Privilege Escalations) and 3 RCEs (Remote Code Executions).
The ACSC notes that many organisations in Australia are using the Exim email server software.
The notice from Exim provides some upgrade instructions for distributions and self-compiled releases of the email server software.
The vulnerabilities were discovered in October 2020 and are known to be in the latest version of Exim, and also suspected to be in most previous versions.
Exim notes that there are potential problems with the upgrades, with new security features in the upgrade package version 4.94.2. Organisations running version 4.92.3 are instructed to attempt to use backported patches for version exim-4.92.3+fixes.
With the wider notifications and release of example exploit code, cybercriminals are more likely to develop and deploy exploits for these vulnerabilities to steal emails and deliver malware, including ransomware, through the newly compromised Exim email servers.
Organisations are urged to patch any Exim email servers that they are using, and as the exploits enable local and remote superuser (root) escalation, to look for signs of compromise in their Linux or Unix systems (login times, unusual processes, etc).
Contact us at Agilient for assistance with patching and ensuring your organisaton is as secure as possible.
Author: David Steele, Agilient Consultant