eSentire White Logo

Security advisories | Jun 19, 2019

CVE-2019-10149 Exploited in the Wild

Linux Exim mail servers version 4.87 – 4.91 (inclusive) is at risk of exploitation via CVE-2019-10149 [1]. This vulnerability is currently being exploited by threat actors in the wild [2]. Successful exploitation of CVE-2019-10149 allows remote, unauthenticated threat actors to perform remote code execution on vulnerable systems. Attacks in the wild include a wormable exploit, which after successful exploitation may spread to additional vulnerable EXIMservers.

There is a high confidence rating that vulnerable Linux EXIM mail servers will be affected by this exploit. Organizations need to apply the official security patch as soon as possible to avoid potential compromise.

eSentire has not observed attacks against client companies at this time.

What we’re doing about it

  • Rules in esNETWORK detect this threat
  • IP addresses associated known campaigns have been added to the eSentire Global Blacklist
  • MVS (formerly esRECON) plugins identify this vulnerability

What you should do about it

  • Patch vulnerable versions of EXIM to version 4.92 or higher
  • Examine EXIMlogs and cron jobs for unusual activity
  • Examine local RSA authentication keys for unauthorized keys (on the target system)
  • Examine Security logs on the impacted EXIMserver for unknown IP addresses connecting via ssh

Additional information

CVE-2019-10149 was weaponized by threat actors rapidly; the vulnerability was announced publicly on June 3rd and exploited by June 9th. The fast adoption rate isdue to both the wide availability of vulnerable servers and the potential,high value of remote command execution. Based on Shodan scans, there are approximately 3,134,631 vulnerable servers exposed to the web at the time of writing.

Current externally observed campaigns leveraging this vulnerability have been identified as crypto-mining campaigns, but remote code execution could be used to necessitate further compromise of any impacted system.