Microsoft has issued a stern warning to Azure customers to update their virtual machines and ensure they are running Exim version 4.92.
Recently, a zero-day Linux Exim mail server vulnerability (CVE-2019-10149) was discovered and an exploit has now been developed and is being used in real-world attacks, including an extensive worm campaign on millions of vulnerable Linux servers.
Microsoft explained in a recent advisory that certain Azure customers are vulnerable to attack through exploitation of a vulnerability in the Exim mail transport agent (MTA) – the Linux-based servers that route and deliver email messages.
Customers running virtual machines that use Exim version 4.87 to 4.91 need to update to the latest version of Exim as soon as possible to prevent the flaw from being exploited.
Microsoft can only warn its customers, as while it is responsible for securing Azure, it is the responsibility of its customers to ensure they are running the latest operating systems on their VM’s.
In the current attacks, malicious actors are successfully exploiting the vulnerability to remotely execute code, take control of victim’s machines, and download malware such as cryptocurrency miners. They can also search for other devices to infect and quickly gain access to large numbers of vulnerable systems.
Microsoft explained that there are mitigations that can be implemented on impacted systems, although they only partially address the vulnerability. If an attacker’s IP address is allowed through Network Security Groups security rules, attacks will still be possible.
The mitigations can block delivery of internet-based wormable malware and other advanced malware threats, although the mitigations still leave users open to RCE attacks, so updating to the latest Exim version is strongly recommended.
Approximately 3.5 million servers are believed to be at risk of attack. Exim based mail servers are responsible for running more than 56% of internet email servers.
In at least one attack, a threat actor established permanent root access on a vulnerable system via SSH. Several threat actors are known to be experimenting with attacks and are actively scanning for vulnerable devices. It is therefore of critical importance that all Exim users ensure they are running version 4.92 of Exim.