Vulnerabilities are discovered very often in various computer programs, and most of them are quickly patched by developers. Typical vulnerabilities disappear almost un-noticed, since they are fixed by routine update schedules.

In fact, most vulnerabilities are never exploited, since they are discovered by security professionals rather than hackers, or are very difficult to execute.

However, some exploits can be extremely dangerous because they target common software found on many servers or workstations, and scripts are available online that allow even a user with little experience to compromise other systems. These require immediate action from system administrators and must be patched as soon as possible.

Exim CVE-10149

The latest serious threat of this type is a vulnerability of the popular Linux mail server Exim, known as CVE-2019-10149.

It was discovered by Qualys and affects all versions of Exim from 4.87 to 4.91. A bug in the deliver_message() function in the file /src/deliver.c causes recipient address validation to be faulty. As a result, a single malicious email sent to the server is enough to allow remote command execution, as the root user.

Depending on the actual Exim configuration, some servers can be more resilient and require some manual work for a successful hack.

It is very easy to find out if your system is vulnerable by executing the following command on Red Hat systems:

The equivalent in Debian family operating systems will generate more verbose output:

In addition, a vulnerable Exim package will be identified by any up-to-date security scan and considered to be a high threat alert.

Effects

Unlike other hacks that usually only install crypto-currency miners that are easy to remove, the Exim exploit severely compromises the infected systems and can only be cleaned by an experienced system administrator.

It is easy to check if your server has been hacked, just look for any suspicious cron jobs. Removing the cron is not enough, since it will be installed again and is actually triggered from multiple locations, such as the rc.local file.

Other symptoms are the status of services such as FTP, which are often killed by the malware script.

In addition, the hack alters a number of system service files, as well as key binaries. In some cases, the only option is a restoration from backup or complete system reinstall.

Patching WHM servers

The developers of WHM and cPanel were very quick to release a patched version of Exim for the newest WHM version.

After a few days, they also released patches for several older versions of WHM, in order to reduce the number of vulnerable servers. As a result, all WHM systems can be updated, stating with version 70.

Installing the patches is very easy. Most servers are configured to check for updates automatically every night, so there is a high chance that your system has already been patched and is fully protected.

Automatic updates can be configured from the Update Preferences menu of WHM. If you prefer to update your server manually, a yellow notification in the upper-right corner of the screen will alert you that a newer version is available.

Regardless if you choose automatic or manual updates, it is a good practice to check the Exim version afterwards, to make sure that it was patched.

This is because WHM updates can sometimes be blocked or fail due to various causes, such as insufficient disk space of incompatible services. However, the upgrade appears to be completed and you can only discover that new packages were not actually installed by inspecting the log files.

Older WHM systems

No patches are available for WHM servers older than version 70 but some systems are not affected by the Exim hack, simply because the package is so old that is not vulnerable.

If your server runs a version that can be exploited, you have to plan an upgrade as soon as possible because it will be eventually hacked.

The easiest way to upgrade is to provision a new server, with the latest CentOS and WHM. You can use the excellent Transfer Tool to migrate all domains from the old machine to the new one. If you must use obsolete services, such as php 5.3 or older, installing Cloud Linux is the best option.

Servers without WHM

Almost all Linux distributions will provide patched versions of Exim, so use your package manager to update from the command line.

These are the commands that have to be executed, on RedHat and Debian family operating systems:

 

 

The Exim vulnerability known as CVE-2019-10149 can result in a very serious hack on servers that are not patched in time, resulting in downtimes, loss of data or even the need of a full reinstall.

In order to protect your systems from future exploits, make sure you have a robust update schedule, so your servers are always running the latest packages.

Facebooktwittergoogle_plusredditpinterestlinkedinmail