New RCE Vulnerability Impacts Nearly Half of the Internet's Email Servers

An anonymous reader quotes a report from ZDNet: A critical remote command execution (RCE) security flaw impacts over half of the Internet's email servers, security researchers from Qualys have revealed today. The vulnerability affects Exim, a mail transfer agent (MTA), which is software that runs on email servers to relay emails from senders to recipients. According to a June 2019 survey of all mail servers visible on the Internet, 57% (507,389) of all email servers run Exim -- although different reports would put the number of Exim installations at ten times that number, at 5.4 million.

In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91. The vulnerability is described as a remote command execution -- different, but just as dangerous as a remote code execution flaw -- that lets a local or remote attacker run commands on the Exim server as root. Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account. lBut the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems. The vulnerability was patched with Exim 4.92, on February 10, 2019, "but at the time the Exim team released v4.92, they didn't know they fixed a major security hole," reports ZDNet.

"This was only recently discovered by the Qualys team while auditing older Exim versions. Now, Qualys researchers are warning Exim users to update to the 4.92 version to avoid having their servers taken over by attackers."

Re:So /. publicly posts it

[Opportunist]

If you rely on /. for your exploits, you will probably find that you get the info late enough that even MS had found time to patch their shit...

Re:

[sinij]

Well, yes but all dupe articles will give you a high level of assurance that you didn't overlook any.

Re:

[ptaff]

Is there an email server written in Rust?

No, because most Rust programmers spend more time proselytizing than coding --- which is a valid approach: code that does not exist is 100% secure. Unwritten Rust code is even more secure!

Re:

[MightyMartian]

I rather like the language . It has some maturing to do, it doesn't have the libraries and toolkits of languages like C++ and Java, but it really is a very nice language.

Re: Is there an email server written in Rust?

[TuballoyThunder]

Because there is no Iron Chef of programming languages--there isn't one programming language that reigns supreme. The proselytizing by the fans of language X is annoying. A good professional programmer should be willing to use whatever language is well suited for the task, consistent with the software infrastructure, and within their skill sets.

Re:

[MightyMartian]

I'd argue that java is by nature a lot more secure than C++. Not perfect, but a step in the right direction.

Re:

[PPH]

For those who don't know,

Wow! No, I don't think I've ever seen a post about Rust here on Slashdot.

Re: Is there an email server written in Rust?

[Anonymous Coward]

Per TFA, this vulnerability had nothing to do with memory corruption, and would have existed in Rust just the same. This vulnerability is more of an input sanitizer failure. You can write bad code in any language, Rust isnâ(TM)t a silver bullet, &c.

You can write bad software in any language

[HiThere]

Rust has some nice points, but just writing in Rust won't turn good code into bad code.

That said, after looking the language over, I decided it wasn't worth the effort required to use it. Whether this is true for you or not will depend on what your application is.

Irrelevant

[aglider]

Almost all email traffic runs on Google and Microsoft.
The number of email server doesn't account for the number of users, though.

Re:

[Bert64]

Indeed, a lot of those hosts running exim simply have it installed and running, they aren't actively being used as mailservers.

Re:

[jbmartin6]

That does not nullify the risk of remote code execution on those hosts and thus their attached networks

Re:

[aaronb1138]

<quote><p>Almost all [legitimate] email traffic runs on Google and Microsoft.
The number of email server doesn't account for the number of users, though.</p></quote>

Spammers gotta use something and it isn't Google or Microsoft... May they all be 'spoilted and have their infrastructure cratered.

Re: Irrelevant

[aglider]

Yes, but as almost all DESTINATION users are on Google and Microsoft, using another server to send email won't help that much.

Email spam is irrelevant.

Microsoft Exchange is safe?

[jfdavis668]

Wow, the first major email bug not related to Microsoft products.

Re:

[iggymanz]

lolz only if you're very young. look at the history of sendmail sometime

The vulnerability was patched in Feb 2019

[Anonymous Coward]

‘The vulnerability was patched with the release of Exim 4.92, on February 10, 2019,/a>, but at the time the Exim team released v4.92, they didn't know they fixed a major security hole.’ [zdnet.com]

Re:

[mark-t]

If day-zero means only that it was discovered before the developers knew about it, then wouldn't that make this a day-zero exploit that was discovered *after* the fix?

Re:

[HiThere]

Well, actually I can't name *ANY* reporter for CNN. Did you have a point? (I also can't name any reporter for FOX. Do ABC and NBC still exist?)

I prefer to get my news in print format, so I can read it over slowly enough to decide whether it's making sense, and how much I think they are lying to me in what way. Radio, TV, etc. are designed to prevent you from stopping to think about what they're saying.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

What I don't understand is, if 57% of all servers run Exim, but some reports place it at ten times that number, does that mean that up to 570% of all servers run Exim?

That's a lot of servers!

Re:

[bobby]

It's either that, or you are nobody.

Jabs aside, I've always wondered about those reports and the "surveys" they're based on. How DO they know who's running exim; where do they get their stats? I think a sphincter is involved.

Re:

[bobby]

Very interesting and informative, thanks. I had not heard of masscan.

Bogus numbers

[WoodstockJeff]

If " 57% (507,389) of all email servers run Exim", then "ten times that number, at 5.4 million" would mean 570% of the worlds email servers run Exim. That's scary.

Re:

[HiThere]

It's a standard part of Linux installs, though I'm not sure how standard. I've got a version installed, but it had already been updated. I didn't know I had it installed until I checked, but the name is familiar enough that I probably tinkered with it a bit in the 90's.

And since it's email, it's probably also installed in BSD systems, and likely in Mac and MSWind. After all, MS got their internet stack from Unix, and so did Apple and Linux. They've all changed things several times, though, so it's hard

Re:

[dissy]

It's a standard part of Linux installs, though I'm not sure how standard.

For the Debian base and anything based on it that doesn't significantly change the defaults, Exim is installed to handle local email delivery but only listens on the localhost interface.

Without any other packages installed by the admin afterwards, the Exim package also handles the local "sendmail" command so things like scripts and cron and whatnot can deliver status messages and errors to root.

Going by the summary here, I'd guess that would make one vulnerable to attackers with local user accounts on the s

Re:

[HiThere]

Thanks. That's a WHOLE lot more than I remembered about it, though when you say "local mail handler" it rings faint bells.

Re:

[Bradmont]

The vast majority of these are probably linux systems that had Exim installed by default but aren't really being used for mail. For example, Exim is still the default MTA on Debian [debian.org], which runs on zillions of servers. I'm not sure about all of its derivatives like ubuntu and such, but I'm sure some of them keep Debian's default.

So the extra bad side of this is that many of these are likely run by people who haven't taken a lot of time to tighten up their system once it's doing what they want, meaning a lot o

personal crap domains?

[iggymanz]

does any important domain run exim? It's the default for some distros which explains its presence, but what significant site would run it? I'd expect it to be on a hobbyist domain server. I did work on a lot of small and medium business linux servers at my last job, never saw anyone running exim. Sendmail, postfix and qmail yes.

Re:

[iggymanz]

cpanel would be the "personal crap" websites I talked about.

I just checked the few huge unis we have here in Chicago, they're not using exim but everything else.

Universities should know better, exim does not scale, even in the words of its creator "not for use where there would be large queues". It's for rinky-dink operations.

Re:

[ebonum]

qmail? The last stable release was 1.03 / June 15, 1998!

https://en.wikipedia.org/wiki/... [wikipedia.org]

I used qmail back in the day. My email server was a Linux laptop at home on the floor leaning on my desk. Worked great! Those days are gone.

Re:

[OrangeTide]

Exim is a bit easier to hook up to exotic authentication systems than Postfix, which would appeal to corporate users. For a bog standard *nix box there is really no reason to pick Exim over Postfix.

Number one reason is that it's default on RHEL and CentOS. It's like 2 commands to have Postfix installed, but 0 commands to have Exim installed.

Re:

[HighOrbit]

If I remember correctly, Exim is, or was at one time, the default mail agent on Debian and was installed by default on 'full installations'. I'd guess that most Exim installations are essentially installed-but-unused on Debian and Debian-based box.