CentrioHost Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog


NEW EXIM VULNERABILITY AFFECTING MILLIONS – HOW TO PROTECT YOURSELF

Vulnerabilities are discovered very often in various computer programs, and most of them are quickly patched by developers. Typical vulnerabilities disappear almost un-noticed, since they are fixed by routine update schedules.

In fact, most vulnerabilities are never exploited, since they are discovered by security professionals rather than hackers, or are very difficult to execute.

However, some exploits can be extremely dangerous because they target common software found on many servers or workstations, and scripts are available online that allow even a user with little experience to compromise other systems. These require immediate action from system administrators and must be patched as soon as possible.

EXIM CVE-10149

The latest serious threat of this type is a vulnerability of the popular Linux mail server Exim, known as CVE-2019-10149.

It was discovered by Qualys and affects all versions of Exim from 4.87 to 4.91. A bug in the deliver_message() function in the file /src/deliver.c causes recipient address validation to be faulty. As a result, a single malicious email sent to the server is enough to allow remote command execution, as the root user.

Depending on the actual Exim configuration, some servers can be more resilient and require some manual work for a successful hack.

It is very easy to find out if your system is vulnerable by executing the following command on Red Hat systems:

The equivalent in Debian family operating systems will generate more verbose output:

In addition, a vulnerable Exim package will be identified by any up-to-date security scan and considered to be a high threat alert.

EFFECTS

Unlike other hacks that usually only install crypto-currency miners that are easy to remove, the Exim exploit severely compromises the infected systems and can only be cleaned by an experienced system administrator.

It is easy to check if your server has been hacked, just look for any suspicious cron jobs. Removing the cron is not enough, since it will be installed again and is actually triggered from multiple locations, such as the rc.local file.

Other symptoms are the status of services such as FTP, which are often killed by the malware script.

In addition, the hack alters a number of system service files, as well as key binaries. In some cases, the only option is a restoration from backup or complete system reinstall.

PATCHING WHM SERVERS

The developers of WHM and cPanel were very quick to release a patched version of Exim for the newest WHM version.

After a few days, they also released patches for several older versions of WHM, in order to reduce the number of vulnerable servers. As a result, all WHM systems can be updated, stating with version 70.

Installing the patches is very easy. Most servers are configured to check for updates automatically every night, so there is a high chance that your system has already been patched and is fully protected.

Automatic updates can be configured from the Update Preferences menu of WHM. If you prefer to update your server manually, a yellow notification in the upper-right corner of the screen will alert you that a newer version is available.

Regardless if you choose automatic or manual updates, it is a good practice to check the Exim version afterwards, to make sure that it was patched.

This is because WHM updates can sometimes be blocked or fail due to various causes, such as insufficient disk space of incompatible services. However, the upgrade appears to be completed and you can only discover that new packages were not actually installed by inspecting the log files.

OLDER WHM SYSTEMS

No patches are available for WHM servers older than version 70 but some systems are not affected by the Exim hack, simply because the package is so old that is not vulnerable.

If your server runs a version that can be exploited, you have to plan an upgrade as soon as possible because it will be eventually hacked.

The easiest way to upgrade is to provision a new server, with the latest CentOS and WHM. You can use the excellent Transfer Tool to migrate all domains from the old machine to the new one. If you must use obsolete services, such as php 5.3 or older, installing Cloud Linux is the best option.

SERVERS WITHOUT WHM

Almost all Linux distributions will provide patched versions of Exim, so use your package manager to update from the command line.

These are the commands that have to be executed, on RedHat and Debian family operating systems:

 

 

The Exim vulnerability known as CVE-2019-10149 can result in a very serious hack on servers that are not patched in time, resulting in downtimes, loss of data or even the need of a full reinstall.

In order to protect your systems from future exploits, make sure you have a robust update schedule, so your servers are always running the latest packages.

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

SatSunMonTueWedThuFri
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Over 20000 Satisfied Customers!

  • web hosting reviewer
    Valerie Quinn
    CTO, Acteon Group

    Centriohost staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue! ~ . . . Read more

  • Joomla hosting reviewer
    Collin Bryan
    Photographer, Allister Freeman

    I'm using centrio for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly. ~ . . . Read more

  • dedicated server reviewer
    Harry Collett
    Actor, A&J Artists

    Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all. ~ . . . Read more

  • vps web hosting reviewer
    Porfirio Santos
    Technician, Diageo PLC

    Centrio support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Centriohost have been amazingly responsive and helpful to any of my queries 👍👍👍 ~ . . . Read more

  • wordpress hosting plans reviewer
    Catherine Auer
    Doctor, SmartClinics

    Anytime I've had a problem I can't solve, I've found Centriohost to be diligent and persistent. They simply won't let an issue go until the client is happy. ~ . . . Read more

  • reseller hosting reviewer
    Effectivo Social
    Freelancer, Fiverr

    Recommend their shared hosting for all my SME web design clients. Their cloud or VME offerings are too great to deal with. Pricing is perfect and suitable for all users (͠≖ ͜ʖ͠≖) 👌 ~ . . . Read more

Top