EXIM Vulnerability (CVE-2019-10149) – Summary

Technical Advice

The vulnerability described on this and the following page affects various versions of the EXIM mail transfer agent (4.87 – 4.91) that have non-default configurations. If you have any of these versions of EXIM in a non-default configuration, you may be at risk of this vulnerability being exploited.

The Operation Configured team have contacted you because research indicates that your organisation or an organisation your ICT team supports may have this vulnerability and the EXIM server is exposed to the public internet. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether the organisation is vulnerable. If you establish that the systems are vulnerable, there is an increased risk they will fall victim to a potentially devastating criminal cyber attack as a result.

There is another, non-technical summary of this vulnerability available for managers and decision makers. You will need to support them in making choices about how to approach this situation.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

About this Vulnerability

In June 2019, a critical vulnerability was discovered and published relating to certain versions of Exim. The vulnerability allows a remote or local unauthenticated attacker to execute commands on these affected systems via a specially crafted email that provides them with ‘root’ (or ‘system’) privileges.  This allows the attacker to install programs of their choice, modify data, and create new accounts among other activities. There is then the risk that this could be used to further exploit other vulnerabilities and move laterally within enterprise networks.

It has been widely reported that this vulnerability in Exim has been exploited globally after just one week of the vulnerability being publicly disclosed, with the common objective to install ‘crypto-jacking’/’crypto-mining’ code on the Exim servers.  The Russian military have been reportedly to have been exploiting this vulnerability since at least August 2019.

Crypto-jacking effectively uses your computer power and electricity in efforts to generate their own cryptocurrency.  This effectively decreases the speed and efficiency of your network and reduces the operational time these servers work before developing a fault. The use of a specialised code enables it to self-propagate (worm behaviour) through exploiting Exim servers to infect other vulnerable internet connected servers.

The Common Vulnerabilities and Exposures (CVE) reference number and summary for this vulnerability is:

CVE-2019-10149 (CVSS Score 9.8 / 10.0) – This ‘Critical’ vulnerability exists in the local part of the receipt address not being properly validated when sent as input to the “expand_string()” utility within the deliver_message() function, irrespective of whether the recipient is local or remote.

The Risk this Vulnerability poses

Research conducted around this CVE shows that :

  • it is remotely and locally exploitable by an attacker.
  • user interaction is not required to exploit.
  • the complexity required to exploit is low (meaning a relatively unskilled attacker can achieve this).
  • no privileges are required to exploit.
  • an exploit is currently widely available (and has been since August 2019).

If the vulnerability is exploited, it can risk the complete loss of confidentiality, integrity and availability of the server. Taking the worst case scenario, this could result in all of the resources being disclosed to an attacker and presents a direct serious impact to an organisation’s network. It is possible for an attacker to modify any or all files, so any malicious modification would present a direct, serious consequence. If this CVE is exploited, it can risk the complete loss of confidentiality and integrity of the server. This could result in all of the resources being disclosed to an attacker and presents a direct serious impact to an organisation’s network.

There are significant risks should you choose to ignore or accept this vulnerability remaining in your system. Criminals are known to have been scanning for vulnerable EXIM servers and using them to attack and exploit organisations. Consequences may include, but are not limited to:

  • Access to sensitive / confidential data
  • Add unauthorised privileged accounts / users on the server
  • Disable network security settings
  • Update SSH configurations to enable additional remote access (backdoor access)
  • Execute additional scripts to enable further exploitation
  • Theft of data and electricity (crypto-mining)
  • Increased degradation of affected hardware
  • Corruption of your backups
  • Using you to attack others that you work with, damaging your reputation
  • Ransomware attack against your systems
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • Your organisation ceasing operations because of system failure, reputational damage or financial losses

Microsoft Instances

Azure infrastructure and Services are not affected and have controls in place to help limit the spread of a worm that exploits EXIM, from work already done by Microsoft to tackle spam, but customers using the vulnerable software would still be susceptible to infection. 

Microsoft urges their customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim. 

News Reporting of Exploitation of this Vulnerability

The exploitation of this vulnerability made the headlines:

June 2019 – Millions of Exim Mail Servers Are Currently Being Attacked (bleepingcomputer.com)

June 2020 – NSA Sandworm Hacking Advisory Unlikely to Stall Russian Crew – MSSP Alert

Next Steps

The next steps for the organisation should be to:

  1. Verify the presence of this vulnerability in the organisation; if so:
  2. Establish if these vulnerability has already been exploited on the organisation’s systems
  3. Work with management to establish the degree of threat, potential harm and risk posed to the organisation
  4. Isolate and mitigate the risk as soon as possible
  5. Establish a plan to resolve this vulnerability and eliminate the risk
  6. Plan to improve the organisation’s cybersecurity for the future

For more information: