400 thousand servers may be subject to RCE attacks due to a vulnerability in the Exim mail agent

In a popular message transfer agent, Exim has discovered a serious vulnerability that opens up the possibility for attackers to perform remote code execution. The problem was discovered by researchers at Devcore Security Consulting, and they estimate that a vulnerable version of Exim can be used on about 400,000 servers worldwide.

What is the problem

Vulnerability CVE-2018-6789 is found in all versions of Exim, except 4.90.1. A security error is contained in the base64 decoding function and causes a buffer overflow. As a result, by sending requests in a special way to the server running Exim, attackers can execute remote code.
')
The researchers managed to create an exploit for a successful attack. According to their estimates, about 400 thousand servers around the world are vulnerable - the search engine Shodan was also used for the evaluation.

How to protect

The Exim developers have released a security bulletin in which they stated that it is difficult at the moment to assess the severity of the vulnerability: "We believe that it is not easy to exploit." The bug was fixed in Exim 4.90.1 version - all users are advised to install it as soon as possible.

In addition, the experts of Positive Technologies created a signature for IDS Suricata, which allows detecting and preventing attempts to exploit the vulnerability CVE-2018-6789 - you can use it by uploading the signature to our PT Network Attack Discovery system :

PS On May 15-16, Moscow will host the International Forum on Practical Information Security Positive Hack Days 8. At the moment, applications are being accepted during Call For Papers. Topics are presented on a special page , send your applications to cfp@phdays.com .