The Qualys Research Team managed to discover critical vulnerabilities when it comes to the Exim mail server, and some of them can even be chained together in order to obtain full remote authentication code execution as well as gain root privileges. Qualis recommends that every security team out there that manages an Exim mail server needs to apply patches for these vulnerabilities.
When it comes to Exim, they are a popular mail transfer agent which is available for Unix-based operating systems and will typically come pre-installed on Linux distributions such as Debian. In fact, if we take surveys into consideration, an estimated 60% of all internet servers run on Exim. In fact, a Shodan search revealed that nearly 4 million Exim servers were online.
Mail Transfer Agents are a unique target to hackers due to the fact that they are typically accessible through the internet, and once exploited they could potentially modify sensitive email settings on the mail server which will allow adversaries to create new accounts on the target mail servers.
Throughout the previous year, the vulnerability in the Exim Mail transfer agent was a target of
Russian cyber actors which are known as the sandworm team.
Russian GRU actors, Sandworm Team, are exploiting a #vulnerability present in unpatched Exim mail transfer agent software.
— NSA/CSS (@NSAGov) May 28, 2020
Back to the vulnerability at hand, on Tuesday, researchers released a study that found 21 unique vulnerabilities in the Exim mail server.
Parag Bajaria, which is the president of cloud and container security solutions at Qualys had the following to say:
There are many exploits that an attacker can run in the cloud once they have gained root privileges on the VM hosting Exim server. Depending on where the Exim server is located there’s a further possibility of lateral movement. And if the virtual machine that hosts an Exim server has IAM permissions attached to it, then those permissions can be further exploited for data exfiltration and IAM privilege escalation.
If we dive deeper into the Qualys research, attackers can exploit 10 of these vulnerabilities remotely, and some of them can lead to providing root privileges on the remote system. For the other 11, attackers can actually exploit them locally with most of them exploited in the default configuration or throughout a common configuration.
The researchers had the following to say:
Once exploited, they could modify sensitive email settings on the mail servers, and allow adversaries to create new accounts on the target mail servers. Last year, the vulnerability in the Exim Mail Transfer Agent was a target of Russian cyber actors formally known as the Sandworm Team.
This vulnerability showcases the point that organizations have to adopt a multi-layered defense strategy.
Vishal Jain, the co-founder as well as chief technology officer at Valtix had the following to say:
Cloud infrastructure providers don’t guard against remote execution of the customer’s applications. Cloud and security operations teams often bear this responsibility. It’s imperative that enterprises protect applications in the public cloud against inbound threats through best-practice network security across ingress, egress, east-west, and DNS traffic. Network security offers a strong defense for remote execution vulnerabilities, like what you find in the case of Exim.