Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
Millions of Exim mail servers exposed to zero-day RCE attacks
Message
<blockquote data-quote="Jakesu" data-source="post: 38" data-attributes="member: 7"><p>A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers.</p><p></p><p>Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.</p><p></p><p>While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.</p><p></p><p>"The specific flaw exists within the smtp service, which listens on TCP port 25 by default," a ZDI security advisory published on Wednesday explains.</p><p></p><p>"The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account."</p><p></p><p>While ZDI reported the vulnerability to the Exim team in June 2022 and resent info on the flaw at the vendor's request in May 2023, the developers failed to provide an update on their patch progress.</p><p></p><p>As a result, ZDI published an advisory on September 27, with details on the CVE-2023-42115 zero-day and a full timeline of all exchanges with the Exim team.</p><p></p><p><strong>Millions of servers exposed to attacks</strong></p><p></p><p>MTA servers like Exim are highly vulnerable targets, primarily because they are often accessible via the Internet, serving as easy entry points for attackers into a target's network.</p><p></p><p>The National Security Agency (NSA) said three years ago, in May 2020, that the notorious Russian military hacking group Sandworm has been exploiting the critical CVE-2019-10149 (The Return of the WIZard) Exim flaw since at least August 2019.</p><p></p><p>Exim is also the default MTA on Debian Linux distros and the world's most popular MTA software, according to a mail server survey from September 2023.</p><p></p><p>According to the survey, Exim is installed on more than 56% out of a total of 602,000 mail servers reachable on the Internet, representing just over 342,000 Exim servers.</p><p></p><p>Just over 3.5 million Exim servers are currently exposed online per a Shodan search, most of them in the United States, followed by Russia and Germany.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1109292/2023/Vulnerable_Exim_servers_CVE-2023-42115.jpg" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1109292/2023/Vulnerable_Exim_servers_CVE-2023-42115.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Vulnerable Exim servers (Shodan)</td></tr></table><p>While a patch is not yet available to secure vulnerable Exim servers against potential attacks, ZDI advised admins to restrict remote access from the Internet to thwart incoming exploitation attempts.</p><p></p><p>"Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application," ZDI warned.</p></blockquote><p></p>
[QUOTE="Jakesu, post: 38, member: 7"] A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers. Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service. While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers. "The specific flaw exists within the smtp service, which listens on TCP port 25 by default," a ZDI security advisory published on Wednesday explains. "The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account." While ZDI reported the vulnerability to the Exim team in June 2022 and resent info on the flaw at the vendor's request in May 2023, the developers failed to provide an update on their patch progress. As a result, ZDI published an advisory on September 27, with details on the CVE-2023-42115 zero-day and a full timeline of all exchanges with the Exim team. [B]Millions of servers exposed to attacks[/B] MTA servers like Exim are highly vulnerable targets, primarily because they are often accessible via the Internet, serving as easy entry points for attackers into a target's network. The National Security Agency (NSA) said three years ago, in May 2020, that the notorious Russian military hacking group Sandworm has been exploiting the critical CVE-2019-10149 (The Return of the WIZard) Exim flaw since at least August 2019. Exim is also the default MTA on Debian Linux distros and the world's most popular MTA software, according to a mail server survey from September 2023. According to the survey, Exim is installed on more than 56% out of a total of 602,000 mail servers reachable on the Internet, representing just over 342,000 Exim servers. Just over 3.5 million Exim servers are currently exposed online per a Shodan search, most of them in the United States, followed by Russia and Germany. [URL='https://www.bleepstatic.com/images/news/u/1109292/2023/Vulnerable_Exim_servers_CVE-2023-42115.jpg'][IMG]https://www.bleepstatic.com/images/news/u/1109292/2023/Vulnerable_Exim_servers_CVE-2023-42115.jpg[/IMG][/URL] [TABLE] [TR] [TD]Vulnerable Exim servers (Shodan)[/TD] [/TR] [/TABLE] While a patch is not yet available to secure vulnerable Exim servers against potential attacks, ZDI advised admins to restrict remote access from the Internet to thwart incoming exploitation attempts. "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application," ZDI warned. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
Millions of Exim mail servers exposed to zero-day RCE attacks
Top