Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Exim vulnerability lets attackers run commands as root on remote email servers.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Exim vulnerability lets attackers run commands as root on remote email servers.

In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91.

The vulnerability is described as a remote command execution -- different, but just as dangerous as a remote code execution flaw -- that lets a local or remote attacker run commands on the Exim server as root.

Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account.

But the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems.

"To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes)," researchers said.

"However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist."

https://www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/

https://it.slashdot.org/story/19/06/06/0046234/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers

Thanked by 1NerdUno

Comments

  • my server is compromised, i cant even access the ip from putty for ssh. how can i backup the server?

  • uptimeuptime Member

    bdspice said: how can i backup the server?

    not to rub it in too much but ... backups are something you make before you need them, right?

    that said - if you have console access, then should be able to login in single user mode and reset the password, then copy over whatever data you need and reinstall your system.

    Thanked by 1bdspice
  • jsgjsg Member, Resident Benchmarker
    edited June 2019

    @bdspice said:
    my server is compromised, i cant even access the ip from putty for ssh. how can i backup the server?

    Actually I doubt that you even really want to do that because you seriously should not trust anything on a compromised server.

    But if you really, really want to do it anyway, @uptime opened the door for you. And do yourself a favour: Burn his first sentence into your brain and never forget it.

    Thanked by 2uptime bdspice
  • AnthonySmithAnthonySmith Member, Patron Provider

    datanoise said: "To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes)," researchers said.

    Well, that may explain why 185.137.111.0/24 was hitting port 25 all of my ranges for days with just a tiny bit of data every now and then.

    good chance someone is using that range targeting just this so good idea to blackhole it on your networks, they have already been blacklisted by spamhaus for similar stuff.

    Thanked by 2uptime AlwaysSkint
  • AnthonySmithAnthonySmith Member, Patron Provider

    @bdspice said:
    my server is compromised, i cant even access the ip from putty for ssh. how can i backup the server?

    via recovery mode

    Thanked by 2bdspice ItzMayed
Sign In or Register to comment.