Greater than 1.5 million e-mail servers are weak to assaults that may ship executable attachments to person accounts, safety researchers mentioned.
The servers run variations of the Exim mail switch agent which might be weak to a essential vulnerability that came to light 10 days in the past. Tracked as CVE-2024-39929 and carrying a severity score of 9.1 out of 10, the vulnerability makes it trivial for menace actors to bypass protections that usually forestall the sending of attachments that set up apps or execute code. Such protections are a primary line of protection in opposition to malicious emails designed to put in malware on end-user units.
A severe safety problem
“I can verify this bug,” Exim venture staff member Heiko Schlittermann wrote on a bug-tracking web site. “It seems like a severe safety problem to me.”
Researchers at safety agency Censys said Wednesday that of the greater than 6.5 million public-facing SMTP e-mail servers showing in Web scans, 4.8 million of them (roughly 74 p.c) run Exim. Greater than 1.5 million of the Exim servers, or roughly 31 p.c, are working a weak model of the open-source mail app.
Whereas there aren’t any identified stories of energetic exploitation of the vulnerability, it wouldn’t be shocking to see energetic focusing on, given the benefit of assaults and the massive variety of weak servers. In 2020, one of many world’s most formidable hacking teams—the Kremlin-backed Sandworm—exploited a extreme Exim vulnerability tracked as CVE-2019-10149, which allowed them to ship emails that executed malicious code that ran with unfettered root system rights. The assaults started in August 2019, two months after the vulnerability came to light. They continued by at the very least Might 2020.
CVE-2024-39929 stems from an error in the way in which Exim parses multiline headers as laid out in RFC 2231. Risk actors can exploit it to bypass extension blocking and ship executable attachments in emails despatched to finish customers. The vulnerability exists in all Exim variations as much as and together with 4.97.1. A repair is obtainable within the Release Candidate 3 of Exim 4.98.
Given the requirement that finish customers should click on on an connected executable for the assault to work, this Exim vulnerability isn’t as severe because the one which was exploited beginning in 2019. That mentioned, social engineering individuals stays among the many only assault strategies. Admins ought to assign a excessive precedence to updating to the newest model.
