Microsoft warns of worm attacks on Exim server on Azure

[German]The company warns customers about worm attacks on Exim servers hosted on Microsoft Azure. This is due to vulnerabilities recently discovered in Exim servers.


Background to the Exim server warning

The open sourcexim mail server in certain versions is vulnerable to a recently discovered vulnerability. In some cases, this allows unauthenticated attackers to execute commands with root privileges. The CVE-2019-10149 vulnerability became public in April 2016 and affects the vulnerabilities in Exim versions 4.87 through 4.91.

The vulnerability is trivially exploitable for local users with a low-privileged account on a vulnerable system running with default settings. All that is required is that the person sends an email to "${run{…}}@localhost", where "localhost" is an existing local domain on a vulnerable Exim installation. This allows attackers to execute commands of their choice with root privileges. The command execution error can also be exploited remotely over the Internet, albeit with some limitations. I had published details within my German blog post Schwachstelle in Exim-Mail-Server bedroht Millionen Nutzer. An english article may be found at Bleeping Computer.

Last week, Amit Serper of CyberReason discovered an active worm that uses this vulnerability to infect Linux servers running Exim with crypto currency miners. The worm uses the infected server to search for other vulnerable hosts to infect.

Microsoft warns of this worm

In a blog post on June 14, 2019, the Microsoft Security Response Team (MSRT) was facing the vulnerability.

This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.

Azure has controls in place to limit the spread of this worm. This involves the use of techniques to combat SPAM. But customers using the vulnerable Exim software would still be vulnerable to infection. Only Exim 4.92 servers are protected from the vulnerability.


Customers using virtual machines (VMs) under Azure are responsible for updating the operating systems and software running on their VMs. Because this vulnerability is actively exploited by worm activity, MSRC encourages customers to follow the best practices and patterns of Azure Security and patch or restrict network access to VMs running affected versions of Exim.

More details on what to do can be found in Microsoft's blog post. Bleeping Computer has also published an article on the subject.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *