Windows 10 News and info | Forum
May 30, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft Warns about Worm Attacking Exim Servers on Azure  (Read 168 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31434

I Do Windows

WWW Email
« on: June 17, 2019, 11:12:35 AM »

Microsoft issued a warning over the weekend about an active Linux worm that is targeting a recently disclosed Linux Exim mail server vulnerability. Though existing mitigations exist to block the worm functionality of this infection, Microsoft states that Azure servers can still be infected or hacked through this vulnerability.

Exim is a very popular mail server software, or message transfer agent (MTA), that is used to send and receive an email for its users. Recently, the CVE-2019-10149 vulnerability was discovered in Exim 4.87 to 4.91 that allows attackers to remotely execute commands on a vulnerable server.

Last week, Amit Serper of CyberReason discovered an active worm utilizing this vulnerability to infect Linux servers running Exim with cryptocurrency miners. The worm would then utilize the infected server to search for other vulnerable hosts to infect.

In an article posted Saturday, the Microsoft Security Response Center (MSRC) confirms that they have detected this worm targeting Azure customers.

"This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91," stated a blog post by  JR Aquino, a Microsoft manager in Azure Incident Response. "Azure customers running VMs with Exim 4.92 are not affected by this vulnerability. "

Exim update timeline from RiskIQ

Mitigations exist that block worm functionality

In order to stop spam being sent through Azure servers, Microsoft created new restrictions on how servers can send an outbound email. These restrictions have also provided mitigation towards the worm capabilities of this infection.

Microsoft warns, though, that even though the worm functionality is being mitigated, it does not mean that vulnerable Azure server is protected from the remote code execution vulnerability and could still be infected or hacked.

"Azure has controls in place to help limit the spread of this worm from work we’ve already done to combat SPAM, but customers using the vulnerable software would still be susceptible to infection," stated Aquino.

Microsoft suggests that Azure customers utilize Network Security Groups (NSGs) to filter or block traffic to their servers. Aquino warns, though, that if the NSG contains a list of IP addresses that are permitted to access the server, these IP addresses could still be used to remotely execute commands on a vulnerable server.

Due to this, Microsoft strongly recommends all Azure users upgrade installed Exim mail servers to version 4.92, which contains a patch that fixes this flaw.

This is the second weekend in a row that Microsoft has issued a warning about known malware threats. The previous warning was about a spam campaign using the Microsoft Office and Wordpad CVE-2017-11882 vulnerability, which was fixed in 2017.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page May 18, 2020, 12:13:45 PM