Exim mail transfer agent (MTA) software have been actively exploited by Russian military cyber actors publicly known as Sandworm Team since August 2019. The vulnerability may lead to remote command execution.
Exim is a commonly used MTA software for Unix based system that comes pre-installed in some Linux distribution such as Debian. Approximately 57% of the publicly reachable mail-servers on the Internet ran Exim.
The vulnerability can be tracked as CVE-2019-10149 that could allow a remote attacker to execute commands with root privileges by sending a specially crafted email. The flaw was present in versions 4.87 to 4.91.
The vulnerability was present due to improper validation of recipient address in deliver_message() function in /src/deliver.c that may lead to remote command execution.
The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation as long as that network is using an unpatched version of Exim MTA.
the advisory said
The actors exploited victims using Exim software on their public-facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.
After the vulnerability was successfully exploited the attacker can execute a shell script from the Sandworm-controlled domain. The script can also attempt to do the following in the infected victim’s machine.
- add privileged users
- disable network security settings
- update SSH configurations to enable additional remote access
- Execute an additional script to enable follow-on exploitation
Network administrators are encouraged to review network security devices protecting Exim mail servers both for identifying prior exploitation and for ensuring network-based protection for any unpatched Exim servers.