Vulnerabilities in Exim mail servers leaving UK firms exposed to hackers

The National Cyber Security Centre has asked UK organisations to immediately upgrade their Exim mail servers as several security vulnerabilities in servers which are running Exim versions 4.87 - 4.92.2 allow hackers to take root access or carry out malicious code injection.

NCSC said that there are around 174,000 Exim mail servers located within the UK and used by organisations that have not been updated to the version 4.92.3 and those servers running versions 4.87 to 4.92.2 feature several exploitable vulnerabilities such as CVE-2019-10149, CVE-2019-15846, and CVE-2019-16928.

These vulnerabilities expose organisations to remote command execution, allow attackers to send malicious Server Name Indication (SNI) during a TLS transfer which, in turn, allows for malicious code injection, and also allow attackers to either crash servers or execute remote code on them.

Organisations are nor pro-active about updating Exim mail servers: NCSC

"Due to the number of Exim devices in the UK that are currently not updated to version 4.92.3, it is likely that many organisations are not proactively keeping up to date with the latest patches ensuring their infrastructure is protected from attack.

"Although these vulnerabilities have primarily been exploited to carry out crypto-currency mining, it is likely that they could be used for further exploitation of and lateral movement within, enterprise networks. The NCSC recommends that organisations update Exim to software version 4.92.3 as soon as possible," the syber security watchdog said.

The CVE-2019-10149 vulnerability, which was first recognised in June this year, allows attackers to compromise devices by executing code remotely on an Exim mail server. By exploiting this flaw, attackers have been carrying out crypto-jacking/crypto-mining campaigns on a regular basis.

Copyright Lyonsdown Limited 2020