Threat Signal ReportNSA Advisory Sandworm Actors Exploiting EXIM MTA Vulnerability (CVE-2019-10149)
Description
Earlier in the week, The United States National Security Agency (NSA) issued an alert highlighting active exploitation of the Exim MTA vulnerability CVE-2019-10149. According to the NSA, active in the wild attacks exploiting this vulnerability appear to be linked to a group dubbed "SandWorm" which is attributed to Russia. According to the advisory, an unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.
What are the specifics of the alert?
The alert was broad in scope; and is an informational piece designed to emphasize the importance of nation state actors actively exploiting this flaw, although it was disclosed almost a year ago.
CVE-2019-10149, disclosed by Qualys June 5, 2019 is a vulnerability that could lead to remote command execution/injection of an affected server. The vulnerability exists in Exim's mail transport agent (MTA) in versions 4.87 to 4.91. To successfully exploit a system, an attacker will send the targeted server with a specially crafted malicious email, when ran, will allow the attacker root access to the machine.
What operating systems are affected?
All Linux systems running Exim 4.87 to 4.91 are affected.
Exim 4.92 and current versions up to 4.94 are unaffected.
What is the status of AV and IPS coverage?
Fortinet customers have been protected by exploitation of CVE-2019-10149 by Exim.deliver_message.Command.Injection since July 4, 2019 (IPS Definitions 14.643).
AV is not feasible at this time. All known network IOC's are blocked by the Web Filtering client.
Have there been any patches or updates from vendors affected?
Exim.org has already provided push updates to various Linux distribution repositories as of June 5th, 2019 to address this issue. It feasible, it is recommended that organizations running affected software update to the latest version (4.94).
What else is possibly affected?
Cloud services, hypervisors (VMware, VirtualBox,etc.), and standalone enterprise systems, etc. using Linux along with affected versions of Exim are vulnerable to this latest disclosure.
How serious is this threat?
Based on CVSS scores, this threat has an overall base score of CRITICAL (9.8) which is due to trivial factors for
exploitability. However, due to the number of variables that must be present for exploitability to occur, the CVSS
Exploitability score is 3.9.
Are there any other recommendations or mitigations suggested?
FortiGuard Labs recommends that organizations apply the latest updates for affected software from vendors affected by this latest disclosure as soon as possible; if upgrading to the latest version (4.94) is not feasible.
Also, for cloud services that are not managed, an organization will need to consider either upgrading or disallowing remote connections externally to affected mail server(s) if possible, until an upgrade to the latest version is performed.
