Security researchers says there is an ongoing attack campaign involving an exploit of the Exim mail transport agent (MTA). Bad actors are leveraging the flaw to run remote execution command attacks on Linux systems. Over 3.5 million servers are reportedly at risk from the wormable exploit. Exim is the most popular mail server, running 57 percent of all the internet’s email servers. The vulnerability results from incorrect validation of receiving email addresses within Exim. Discovered on June 5, vulnerability CVE-2019-10149 has been given a critical severity score of 9.8 of 10 on the CVSS v3 scale. Before the weekend, Microsoft responded to the problem and confirmed its Azure platform had also been affected. However, the company says its cloud service “has controls in place to help limit the spread of this worm,”.
Warning
Still, the company is covering its bases and has warned customers that the worm does function individually even if it cannot be spread. In other words, a compromised machine will be infected with a cryptocurrency miner (the payload of the attack) but will not spread the worm to other Azure machines. “As this vulnerability is being actively exploited by worm activity, MSRC (Microsoft Security Response Center) urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” said JR Aquino, Manager of Azure Incident Response. Microsoft says customers can ensure they remains unaffected by the worm by simply updating Exim installations. Version 4.92 of the server is up-to-date and patched against the worm. All versions from 4.87 to 4.91 are at risk.