A widespread campaign is exploiting a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims’ Linux systems. Researchers say that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet’s email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.
“These kinds of attacks have big implications for organizations,” said researchers with Cybereason in a
post on Thursday. “The recovery process from this type of attack is costly and time-consuming.”
Exim mail servers are open-source MTAs, which essentially receive, route and deliver email messages from local users and remote hosts. Exim is the default MTA included on some Linux systems.
The flaw stems from improper validation of recipient address in the deliver_message() function in the server.
The vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on
June 5 in Exim versions 4.87 to 4.91. Exim version 4.92 is not vulnerable.
“A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87,” according to a recent
security advisory. “The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.”
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
