Microsoft issued a warning over the weekend about an active Linux worm that is targeting a recently disclosed Linux Exim mail server vulnerability. Though existing mitigations exist to block the worm functionality of this infection, Microsoft states that Azure servers can still be infected or hacked through this vulnerability.
Exim is a very popular mail server software, or message transfer agent (MTA), that is used to send and receive an email for its users. Recently, the CVE-2019-10149 vulnerability was discovered in Exim 4.87 to 4.91 that allows attackers to remotely execute commands on a vulnerable server.
Last week, Amit Serper of CyberReason discovered an active worm utilizing this vulnerability to infect Linux servers running Exim with cryptocurrency miners. The worm would then utilize the infected server to search for other vulnerable hosts to infect.
In an article posted Saturday, the Microsoft Security Response Center (MSRC) confirms that they have detected this worm targeting Azure customers.
"This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91," stated a blog post by JR Aquino, a Microsoft manager in Azure Incident Response. "Azure customers running VMs with Exim 4.92 are not affected by this vulnerability. "
Exim update timeline from RiskIQMitigations exist that block worm functionality
In order to stop spam being sent through Azure servers, Microsoft created new restrictions on how servers can send an outbound email. These restrictions have also provided mitigation towards the worm capabilities of this infection.
Microsoft warns, though, that even though the worm functionality is being mitigated, it does not mean that vulnerable Azure server is protected from the remote code execution vulnerability and could still be infected or hacked.
"Azure has controls in place to help limit the spread of this worm from work we’ve already done to combat SPAM, but customers using the vulnerable software would still be susceptible to infection," stated Aquino.
Microsoft suggests that Azure customers utilize Network Security Groups (NSGs) to filter or block traffic to their servers. Aquino warns, though, that if the NSG contains a list of IP addresses that are permitted to access the server, these IP addresses could still be used to remotely execute commands on a vulnerable server.
Due to this, Microsoft strongly recommends all Azure users upgrade installed Exim mail servers to version 4.92, which contains a patch that fixes this flaw.
This is the second weekend in a row that Microsoft has issued a warning about known malware threats. The previous warning was about a spam campaign using the Microsoft Office and Wordpad CVE-2017-11882 vulnerability, which was fixed in 2017.
source
