Greater than 1.5 million electronic mail servers are susceptible to assaults that may ship executable attachments to person accounts, safety researchers stated.
The servers run variations of the Exim mail switch agent which are susceptible to a essential vulnerability that got here to mild 10 days in the past. Tracked as CVE-2024-39929 and carrying a severity ranking of 9.1 out of 10, the vulnerability makes it trivial for risk actors to bypass protections that usually forestall the sending of attachments that set up apps or execute code. Such protections are a primary line of protection towards malicious emails designed to put in malware on end-user gadgets.
A severe safety challenge
“I can verify this bug,” Exim venture staff member Heiko Schlittermann wrote on a bug-tracking website. “It seems to be like a severe safety challenge to me.”
Researchers at safety agency Censys stated Wednesday that of the greater than 6.5 million public-facing SMTP electronic mail servers showing in Web scans, 4.8 million of them (roughly 74 p.c) run Exim. Greater than 1.5 million of the Exim servers, or roughly 31 p.c, are working a susceptible model of the open-source mail app.
Whereas there are not any identified reviews of lively exploitation of the vulnerability, it wouldn’t be stunning to see lively concentrating on, given the convenience of assaults and the big variety of susceptible servers. In 2020, one of many world’s most formidable hacking teams—the Kremlin-backed Sandworm—exploited a extreme Exim vulnerability tracked as CVE-2019-10149, which allowed them to ship emails that executed malicious code that ran with unfettered root system rights. The assaults started in August 2019, two months after the vulnerability got here to mild. They continued by at the least Could 2020.
CVE-2024-39929 stems from an error in the way in which Exim parses multiline headers as laid out in RFC 2231. Risk actors can exploit it to bypass extension blocking and ship executable attachments in emails despatched to finish customers. The vulnerability exists in all Exim variations as much as and together with 4.97.1. A repair is obtainable within the Launch Candidate 3 of Exim 4.98.
Given the requirement that finish customers should click on on an hooked up executable for the assault to work, this Exim vulnerability isn’t as severe because the one which was exploited beginning in 2019. That stated, social engineering individuals stays among the many only assault strategies. Admins ought to assign a excessive precedence to updating to the newest model.