{"id":10155,"date":"2019-06-19T07:10:00","date_gmt":"2019-06-19T05:10:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=10155"},"modified":"2023-02-14T15:36:25","modified_gmt":"2023-02-14T14:36:25","slug":"microsoft-warnt-vor-wurmangriffen-auf-exim-server-auf-azure","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/06\/19\/microsoft-warnt-vor-wurmangriffen-auf-exim-server-auf-azure\/","title":{"rendered":"Microsoft warns of worm attacks on Exim server on Azure"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/web.archive.org\/web\/20190521210503\/https:\/\/j74.imgup.net\/Azure0e3a.jpg\" width=\"86\" align=\"left\" height=\"50\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/06\/19\/microsoft-warnt-vor-wurmangriffen-auf-exim-server-auf-azure\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]The company warns customers about worm attacks on Exim servers hosted on Microsoft Azure. This is due to vulnerabilities recently discovered in Exim servers. <\/p>\n<p><!--more--><\/p>\n<h2>Background to the Exim server warning<\/h2>\n<p>The open sourcexim mail server in certain versions is vulnerable to a recently discovered vulnerability. In some cases, this allows unauthenticated attackers to execute commands with root privileges. The <a href=\"https:\/\/www.exim.org\/static\/doc\/security\/CVE-2019-10149.txt\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2019-10149<\/a> vulnerability became public in April 2016 and affects the vulnerabilities in Exim versions 4.87 through 4.91.<\/p>\n<p>The vulnerability is trivially exploitable for local users with a low-privileged account on a vulnerable system running with default settings. All that is required is that the person sends an email to \"${run{&#8230;}}@localhost\", where \"localhost\" is an existing local domain on a vulnerable Exim installation. This allows attackers to execute commands of their choice with root privileges. The command execution error can also be exploited remotely over the Internet, albeit with some limitations. I had published details within my German blog post <a href=\"https:\/\/www.borncity.com\/blog\/2019\/06\/07\/schwachstelle-in-exim-mail-server-bedroht-millionen-nutzer\/\" target=\"_blank\" rel=\"noopener noreferrer\">Schwachstelle in Exim-Mail-Server bedroht Millionen Nutzer<\/a>. An english article may be found <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/millions-of-exim-mail-servers-are-currently-being-attacked\/\" target=\"_blank\" rel=\"noopener noreferrer\">at Bleeping Computer<\/a>.<\/p>\n<p>Last week, Amit Serper of CyberReason <a href=\"https:\/\/www.cybereason.com\/blog\/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\" target=\"_blank\" rel=\"noopener noreferrer\">discovered an active worm<\/a> that uses this vulnerability to infect Linux servers running Exim with crypto currency miners. The worm uses the infected server to search for other vulnerable hosts to infect.<\/p>\n<h2>Microsoft warns of this worm<\/h2>\n<p>In a <a href=\"https:\/\/web.archive.org\/web\/20190629102539\/https:\/\/blogs.technet.microsoft.com\/msrc\/2019\/06\/14\/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149\/\" target=\"_blank\" rel=\"noopener noreferrer\">blog post<\/a> on June 14, 2019, the Microsoft Security Response Team (MSRT) was facing the vulnerability.<\/p>\n<blockquote>\n<p>This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, <a href=\"https:\/\/www.exim.org\/static\/doc\/security\/CVE-2019-10149.txt\">CVE-2019-10149<\/a>, in Linux Exim email servers running Exim version 4.87 to 4.91.\u202f<strong><em>Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.<\/em><\/strong><strong> <\/strong><\/p>\n<\/blockquote>\n<p>Azure has controls in place to limit the spread of this worm. This involves the use of techniques to combat SPAM. But customers using the vulnerable Exim software would still be vulnerable to infection. Only Exim 4.92 servers are protected from the vulnerability.  <\/p>\n<p>Customers using virtual machines (VMs) under Azure are responsible for updating the operating systems and software running on their VMs. Because this vulnerability is actively exploited by worm activity, MSRC encourages customers to follow the best practices and patterns of Azure Security and patch or restrict network access to VMs running affected versions of Exim. <\/p>\n<p>More details on what to do can be found in <a href=\"https:\/\/web.archive.org\/web\/20190629102539\/https:\/\/blogs.technet.microsoft.com\/msrc\/2019\/06\/14\/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft's blog post<\/a>. Bleeping Computer has also published an <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-warns-about-worm-attacking-exim-servers-on-azure\/\" target=\"_blank\" rel=\"noopener noreferrer\">article on the subject<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The company warns customers about worm attacks on Exim servers hosted on Microsoft Azure. This is due to vulnerabilities recently discovered in Exim servers.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22],"tags":[66,69],"class_list":["post-10155","post","type-post","status-publish","format-standard","hentry","category-security","category-update","tag-azure","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/10155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=10155"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/10155\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=10155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=10155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=10155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}