Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday June 10 2019, @05:11AM   Printer-friendly
from the no-surprises dept.

Submitted via IRC for AnonymousLuser

New RCE vulnerability impacts nearly half of the internet's email servers

A critical remote command execution (RCE) security flaw impacts over half of the Internet's email servers, security researchers from Qualys have revealed today.

The vulnerability affects Exim, a mail transfer agent (MTA), which is software that runs on email servers to relay emails from senders to recipients.

According to a June 2019 survey of all mail servers visible on the Internet, 57% (507,389) of all email servers run Exim -- although different reports would put the number of Exim installations at ten times that number, at 5.4 million.

In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91.

The vulnerability is described as a remote command execution -- different, but just as dangerous as a remote code execution flaw -- that lets a local or remote attacker run commands on the Exim server as root.

Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account.

But the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems.

"To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes)," researchers said.

"However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist."

Furthermore, the Qualys team says that when Exim is in certain non-default configurations, instant exploitation is also possible in remote scenarios.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by TheRaven on Monday June 10 2019, @05:25PM (1 child)

    by TheRaven (270) on Monday June 10 2019, @05:25PM (#853761) Journal

    No, the problem is Ubuntu's claim that running old versions is more secure. Recent versions of Ubuntu ship with Exim 4.92, but the long-term support release 16.04 ships with 4.86.2, which is vulnerable. If you aren't using the LTS version of Ubuntu, then you're fine. If you are, then you have a potentially vulnerable (depending on your configuration) package with no way to upgrade.

    This is why FreeBSD provides third-party packages as a rolling release: so that any package set from February or later will have included the upgrade and you're not stuck trying to get software from 2019 working with dependencies from 2016 or upgrade a large chunk of stuff to get a single security fix (or trying to back-port a security fix to a release that's no longer supported upstream in the short embargo window before it's publicly disclosed).

    --
    sudo mod me up
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Tuesday June 11 2019, @12:41AM

    by Anonymous Coward on Tuesday June 11 2019, @12:41AM (#853993)

    Ubuntu inherits this from Debian. I don't use Ubuntu, but I have a ton of systems personal and at work running Debian. I love that Debian freezes on a version of a package, and back ports bug fixes. I don't have to worry about the new bugs that come with the new features in latest shiny version breaking my systems. I would never run a rolling release distribution on production hosts.

    Debian also has a few options so you can selectively opt in to more bleeding edge versions of selected packages while not increasing the risk of updates by running everything on the system bleeding edge. Best of both worlds.