It took only a few days since the vulnerability in Exim mail transfer agent was made public for a Linux worm to begin exploiting the vulnerability in Exim email servers. Microsoft said some Azure customers have already been affected.
Designed to receive, route and deliver email messages from local users and remote hosts, Exim run “almost 57 percent of the Internet’s email servers,” said researchers from Cybereason, who discovered the worm. The flaw was introduced in version 4.87 and fixed in Exim 4.92 and an estimated 3.5 million servers are at risk, worldwide.
The worm scans for servers running unpatched versions of Exim to infect. Once the machine has been infected, the worm drops a cryptocurrency miner. The flaw lets attackers execute remote commands on the vulnerable server, so as long as the worm remains on the infected machine, the attacker can execute remote commands.
“As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected version of Exim,” said JR Aquino, manager of Azure Incident Response at Microsoft Security Response Center (MSRC).
Linux virtual machines running Exim can be created directly through the Azure portal. While Azure “has controls in place” to restrict how servers can send outbound email to limit the spread of this worm, the individual machines remain infected with the worm and the cryptocurrency miner. The attacker can run other remote commands and take over that VM and the cryptocurrency miner will consume the infected machine’s resources and slow down performance significantly.
“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs,” Aquino said.
Azure customers running VMs with Exim 4.92 are not affected by this vulnerability, but any machines running older versions of Exim should be updated. Azure customers should aso utilize Network Security Groups (NSGs)—rules to allow or deny network traffic to Azure Virtual Networks resources—to filter or block traffic to their servers. However, if the Group contains the attacker’s IP address, then that machine can still connect to the server and remotely execute commands.
Infected Azure systems should be wiped and rebuilt from scratch.
This story was updated with information from Microsoft's Azure advisory