An investigation of the web application security specialists from the firm Qualys has revealed that more than half of the email servers are affected by a critical remote command execution (RCE) vulnerability.
Experts report that this flaw affects the Mail
Transfer Agent (MTA) known as Exim, software that runs the email
servers to relay emails from senders to recipients.
In a survey conducted among all conventional
mail servers, 57% of these (about 507,300) told to use Exim, although other
research works claim that the total implementations of this software exceeds 5
million, so the scope of this vulnerability is considerable.
Web application security specialists from the
cloud security firm published a report stating that they have found a dangerous
vulnerability in Exim implementations running version from 4.87 to 4.91.
“This is a remote command execution
vulnerability (not to be confused with remote
code execution) that allows malicious actors, whether local or remote,
to execute commands on the Exim server with root user privileges”,
mentions the experts’ report.
The vulnerability could be exploited
immediately by a local hacker with presence on the email server, no matter how
the attacker uses a limited-privilege user account. But the worst possible
scenario is the remote exploitation of the vulnerability, as hackers could scan
the Internet for vulnerable servers to take full control of a system.
“An attacker must keep the connection to
the vulnerable server active for at least seven days to exploit this vulnerability”,
added the web application security specialists. Therefore, hackers would have
to transmit a minimal amount of data on some minute intervals. “However,
Exim is a very complex code, so it is likely that other exploitation methods are
more efficient than those reported in our report”, the experts added.
According to the experts from the International
Institute of Cyber Security (IICS), the vulnerability was corrected with the
release of Exim 4.92, albeit in a circumstantial way, as the developers were
not aware of the existence of the vulnerability.
