Security News > 2020 > June > Several Exim Vulnerabilities Exploited in Russia-Linked Attacks
Several vulnerabilities affecting the Exim mail transfer agent have been exploited by Russia-linked hackers, and administrators have been urged to patch immediately, but hundreds of thousands of servers remain unpatched.
The U.S. National Security Agency issued an alert last week to urge users to update their Exim servers to version 4.93 or newer, as earlier versions are impacted by vulnerabilities that have been exploited by a hacker group with ties to the Russian military.
Threat intelligence company RiskIQ says there are two other Exim vulnerabilities that have been exploited in the same campaign: CVE-2019-15846, a remote code execution vulnerability patched in September 2019 that impacts version 4.92.1 and earlier, and CVE-2019-16928, a DoS and code execution vulnerability affecting versions 4.92 through 4.92.2.
While a majority are running Exim 4.92, which patches CVE-2019-10149, the other two vulnerabilities still expose servers to attacks, which is likely why the NSA has advised users to update to version 4.93.
The threat group exploiting these vulnerabilities is tracked as Sandworm and TeleBots, and it has been linked to Russia's General Staff Main Intelligence Directorate.
News URL
Related news
- Israel’s Pager Attacks and Supply Chain Vulnerabilities (source)
- Evil Corp's deep ties with Russia and NATO member attacks exposed (source)
- CUPS vulnerabilities could be abused for DDoS attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- US and UK govts warn: Russia scanning for your unpatched vulnerabilities (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-09-27 | CVE-2019-16928 | Out-of-bounds Write vulnerability in multiple products Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. | 9.8 |
2019-09-06 | CVE-2019-15846 | Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. | 9.8 |
2019-06-05 | CVE-2019-10149 | OS Command Injection vulnerability in multiple products A flaw was found in Exim versions 4.87 to 4.91 (inclusive). | 9.8 |