400 thousand servers may be subject to RCE attacks due to vulnerability in Exim mail agent

A serious vulnerability has been discovered in the popular Exim message forwarding agent that opens up the possibility for attackers to remotely execute code. The problem was discovered by researchers at Devcore Security Consulting, who estimated that a vulnerable version of Exim could be used on approximately 400,000 servers around the world.

What is the problem

Vulnerability CVE-2018-6789 is contained in all versions of Exim, except 4.90.1. The security error is contained in the base64 decoding function and causes a buffer overflow. As a result, by sending specially crafted requests to a server running Exim, attackers can remotely execute code.

Researchers managed to create an exploit for a successful attack. According to their estimates, approximately 400 thousand servers around the world are vulnerable - for the assessment, the search engine Shodan was also used.

How to protect yourself

Exim developers have released a security bulletin stating that it is difficult to assess the severity of a vulnerability at the moment: “We believe that it is not easy to exploit.” The error was fixed in Exim version 4.90.1 - it is recommended that all users install it as soon as possible.

In addition, Positive Technologies experts created a signature for IDS Suricata, which allows you to identify and prevent attempts to exploit the vulnerability CVE-2018-6789 - you can use it by uploading the signature to our PT Network Attack Discovery system :

P. S. 15-16 мая в Москве пройдет международный форум по практической информационной безопасности Positive Hack Days 8. В настоящий момент принимаются заявки в ходе Call For Papers. Темы представлены на специальной странице , отправляйте свои заявки на cfp@phdays.com .