Jun. 23rd, 2019

lovingboth: (Default)
If you do, and you didn't upgrade very, very quickly after a update became available on the 5th June, you've quite possibly been totally pwned.

It turns out that a change in Exim a while ago allowed attackers to run whatever they liked: it just needs to see an email to something like root+{run{do this!}} @ yourdomain and exim would run 'do this!' as root.

Oops!

This is being actively exploited to the extent that if you didn't patch it, you are quite possibly too late and will have to assume it's totally compromised. A typical initial payload is 'get 1.2.3.4/5.6.7.8' where 1.2.3.4 is the IP address the attacker is watching to see who's been caught out, and 5.6.7.8 is your IP address going 'I have! I have!' Various nasties will then be uploaded to it and the attacker will typically attempt to cover up what's happened by deleting evidence from log files.

Seven of the eight servers I am responsible for run exim. Fortunately, they were patched within a couple of hours, and don't actually receive any mail anyway - a firewall actively blocks the relevant ports - just sends it. The eighth one runs Postfix to handle mail, and that laughs at this one... but it's still getting lots of attempts, which shows how easy and tempting this is to exploit.

Profile

lovingboth: (Default)
Ian

September 2025

S M T W T F S
 123456
78910111213
14151617181920
2122 2324252627
282930    

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags