More than 1.5 million e mail servers are susceptible to assaults that may ship executable attachments to person accounts, safety researchers stated.
The servers run variations of the Exim mail switch agent which can be susceptible to a crucial vulnerability that got here to mild 10 days in the past. Tracked as CVE-2024-39929 and carrying a severity score of 9.1 out of 10, the vulnerability makes it trivial for risk actors to bypass protections that usually stop the sending of attachments that set up apps or execute code. Such protections are a primary line of protection in opposition to malicious emails designed to put in malware on end-user gadgets.
A critical safety challenge
“I can confirm this bug,” Exim undertaking workforce member Heiko Schlittermann wrote on a bug-tracking website. “It looks like a serious security issue to me.”
Researchers at safety agency Censys stated Wednesday that of the greater than 6.5 million public-facing SMTP e mail servers showing in Internet scans, 4.8 million of them (roughly 74 p.c) run Exim. More than 1.5 million of the Exim servers, or roughly 31 p.c, are operating a susceptible model of the open supply mail app.
While there are not any identified reviews of energetic exploitation of the vulnerability, it wouldn’t be stunning to see energetic focusing on, given the convenience of assaults and the massive variety of susceptible servers. In 2020, one of many world’s most formidable hacking teams—the Kremlin-backed Sandworm—exploited a extreme Exim vulnerability tracked as CVE-2019-10149, which allowed them to ship emails that executed malicious code that ran with unfettered root system rights. The assaults started in August 2019, two months after the vulnerability got here to mild. They continued by not less than May 2020.
CVE-2024-39929 stems from an error in the best way Exim parses multiline headers as laid out in RFC 2231. Threat actors can exploit it to bypass extension blocking and ship executable attachments in emails despatched to finish customers. The vulnerability exists in all Exim variations as much as and together with 4.97.1. A repair is on the market within the Release Candidate 3 of Exim 4.98.
Given the requirement that finish customers should click on on an connected executable for the assault to work, this Exim vulnerability isn’t as critical because the one which was exploited beginning in 2019. That stated, social-engineering individuals stays among the many simplest assault strategies. Admins ought to assign a excessive precedence to updating to the most recent model.
