One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1181421 |
| Date de publication | 2019-07-01 13:00:00 (vue: 2019-07-01 16:00:49) |
| Titre | Linux Servers Under Worm Attack Via Exim Flaw | AT&T ThreatTraq |
| Texte | Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Michael Stair, Lead Member of Technical Staff, AT&T, Matt Keyser, Principal Member of Technical Staff, and Manny Ortiz, Director Technology Security, AT&T. Michael: A flaw in Exim is leaving millions of Linux servers vulnerable. Matt: Hey, Mike. I heard there was a pretty serious flaw affecting Exim email servers. What can you tell us about it? Michael: Yes, attackers are exploiting a pretty critical flaw in the popular Linux Exim mail transport agents, MTA, allowing for remote command execution. Exim is an SMTP mail relay. It's pretty popular, and runs a large percentage of internet mail servers. It's the default MTA on some Linux systems. From a recent Shodan scan, it could affect up to three-and-a-half million vulnerable servers. The bug itself was tracked it down to improper validation in some of the recipient addresses. One of the functions was given a 9.8 out of 10 on the CVSS v3 scale. It affects versions 4.87 to 4.98, but I think the latest version 4.92 is unaffected. Matt: So it's a big bug. And it is a remote code execution (RCE) bug, which is one of the most critical types you could possibly have. Michael: They do have patches out. They're porting patches to all versions, back to 4.87, if you're using an older version. So just make sure you're patching and making sure you're up to date with the most recent version because it's a pretty serious issue. Matt: It sounds like it's something you could just address the email to somebody and you just drop an exploit in there and it's remote code execution? Michael: Yeah, it seems like it's pretty simple to exploit. And there’s actually worm that's exploiting this and finding new systems. Matt: Wow. Manny: From what I understand, you can actually put a command that eventually the server will run, but from what I understand, the server may take seven days before it actually activates the exploit. It appears there's some sort of timeout that happens after seven days when the email is determined to have an invalid mail address, and then the server runs the actual command. Michael: Right. Matt: But that means I could hand-type the exploit code. Is that roughly correct or is it something you'd have to craft or a little more difficult to do? Manny: Right. The example I saw was just a simple command where it went and did a get to an actual external IP address. Matt: So you're getting a shell. Manny: Yes. Or you can have the box basically go run some code offline or off net, so it basically gives you an open command line to run whatever you want on the box. Matt: So it's totally possible that your box has been exploited and you won't know for seven days? Manny: Exactly. Michael: Exactly. Matt: That's a scary thought, right? Manny: The sky is the limit when it comes to a bad actor that wants to take advantage of this vulnerability. They can come up with anything they want to. If they want to mine cryptocurrency, they can. If they want to set the server up to do DDoS attacks, they can. I think, Mike, you said that there is a patch f |
| Envoyé | Oui |
| Condensat | the about across activates activity actor actual actually address addresses admin advantage advisories affect affected affecting affects after again agents all allowing also amount any anything appears are assuming at&t attack attackers attacks azure back bad based basically because been before being best big box bug but called can catch channel to chief code come comes command commentary correct could couple craft crafting critical cryptocurrency cvss date day days ddos default determined develop did didn't difficult director don't down drop either email enjoy eventually every everybody everything exactly example execution exim exploit exploited exploiting external feature features figure finding fix flaw from functions get getting given gives going got half hand happens has have heard helpful hey i'm improper information and infosec install interesting internet invalid isn't issue issued it's itself just keyser know large latest lead leaving like limit line linux little look lookup mail maintain maintenance make making manny manny: matt matt: may maybe means meantime member metrics michael michael: microsoft mike million millions mine more most mta net new news nothing off office offline older one open ortiz other out over patch patched patches patching people percentage point popular porting possible possibly practitioners pretty prevents principal produces put queue rce really reboot recent recipient recommending relay remote researchers response right roughly run running runs said saw scale scan scary schedule search security seeing seems sent series serious server servers set seven shell shodan should shut simple sitting sky smtp some somebody somebody's something somewhere sort sounds specifically staff stair state stay subscribe successfully sure systems take technical technology tell temporary that's the youtube them; you themselves then there's there’s these they're thing things think those thought threattraq three through timeout today totally tracked transcript transport trying type types unaffected under understand until updated uptime using validate validation version versions video vulnerability vulnerable want wants way week went what whatever when where whether which will window won't wonder workload worm wow yeah you'd you're you've your |
| Tags | Patching Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.