Microsoft is warning customers that some Azure installations are vulnerable to a recently-disclosed critical Linux Exim mail server flaw that is under active attack.
The warning comes after a widespread worm campaign was disclosed on Friday, targeting a flaw in the Exim mail transport agent (MTA), which are Linux-based mail servers that receive, route and deliver email messages from local users and remote hosts. However, the issue also plagues Azure users: Linux virtual machines, which run Exim servers, can be created through the Azure portal (a browser-based user interface to create VMs and their associated resources).
In an advisory, Microsoft said that Azure customers using the vulnerable software (Azure customers running virtual machines that use Exim version 4.87 to 4.91) are susceptible to the attack. Exim version 4.92 is not vulnerable.
“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs,” said JR Aquino, manager for Azure Incident Response at Microsoft Security Response Center, in an advisory posted over the weekend. “As this vulnerability is being actively exploited by worm activity, [Microsoft] urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.”
An attack of vulnerable systems could allow a malicious actor to gain remote command-execution, take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.
Microsoft for its part said that while it offers “partial mitigation,” vulnerable systems are still impacted if an attacker’s IP address is permitted through Network Security Groups, which is a list of security rules for virtual machines that allow or deny network traffic to resources connected to Azure Virtual Networks.
“There is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs), its advisory said. “The affected systems can mitigate Internet-based ‘wormable’ malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker’s IP Address is permitted through Network Security Groups.”
The flaw stems from improper validation of recipient address in the deliver_message() function in the server. The vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on June 5 in Exim versions 4.87 to 4.91.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet’s email servers; Researchers said that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.
The sheer number of vulnerable systems have researchers, vendors and more urging users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.
“Attackers have started probing for and experimenting with attacks against Exim systems vulnerable to CVE-2019-10149,” Satnam Narang, senior research engineer with Tenable said in an email. “Security researchers have observed active exploitation in the wild, one of which includes an attack resulting in permanent root access to vulnerable systems via SSH. It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding.”
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.