Vulnerabilities are always critical, especially when attacker gets server root privileges.

That’s what happens in the recent Exim mail server vulnerability. Hacker can execute malicious programs making entire server and accounts at risk.

At Bobcares, we constantly monitor servers and patch up server against server vulnerabilities as part of our Server Management Services.

Today, we’ll see more about the Exim4 vulnerability and how our Security Experts mitigate the risk effectively.

 

The impact!

Now its time to see how this Exim4 vulnerability affect the servers.

As per CVE-2019-10149, this flaw was found in Exim versions 4.87 to 4.91. The improper validation of recipient address in deliver_message() function in /src/deliver.c can give hackers privileges to remote command execution.

Additionally, in the affected servers, there will be a malicious cron job under root user.  This scheduled task tries to get content from malicious websites and execute the scripts on the server. Also, it can change the status of web, database service daemons and set them to OFF state.

Usually, the affected servers will have high load. As a result, the server will be stuck making websites slow.

 

Is my server good?

At this point, the immediate question of any server owner will be “Is my Server good?”

The first thing that would determine this would be the version of Exim mail server on the server. To know the exact version, our Support Engineers use the command :

rpm -q exim

If the exim version is one between 4.87 and 4.91, then the server is under high risk.

Also, for cPanel servers, its worth to check the version of cPanel too using :

/usr/local/cpanel/cpanel -V

The following versions of cPanel and Exim holds good against the vulnerability.

For Version 78: exim-4.92-1.cp1178.x86_64
For Version 80: exim-4.92-1.cp1180.x86_64
For Version 70 and 76: exim-4.91-4.cp1170.x86_64

 

If my server is not good?

Unfortunately, if your server is having a buggy Exim version, the patches should be applied immediately. Else, hackers can attack your server at any time.

Let’s now see the course of action that our Security Experts do to mitigate the risk.

 

1. Update EXIM

The first and foremost step in affected servers is to update Exim.

Exim 4.92 is not vulnerable.

Therefore, we update the Exim package on the servers to version 4.92. Additionally, we need to reinstall curl on the server. The commands vary according to the type of server.

On CentOS7 servers, we execute:

yum install -y -q -e 0 exim
 yum reinstall -y -q -e 0 curl

Similarly, on Debian servers, we do:

apt-get --yes --force-yes install exim4 exim4-config
yum reinstall -y -q -e 0 curl

Cpanel team has already released patches for versions 70 and 76. And, an upgrade would automatically upgrade exim.

In cases where cPanel upgrades failed due to blockers, our Support Engineers do the following.

i) We backup the file /etc/cpupdate.conf & update as below.

CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

ii) Then we run the command:

/scripts/upcp

iii) After completing upgrade script, we restore the old file.

iv) Finally, we confirm that the server has a new Exim version.

 

2. Remove malicious cron

We look for the malicious cron in the server. Usually, it will be present under the root user.

 

3. Reboot the server

Finally, we reboot the server to make the new packages take effect.

 

What if my server is affected?

If your server is already having traces of hack like suspicious cron jobs, service failures, unusually high load, etc. there is high chance of server compromise.

We’ll now take a look at how our Dedicated Engineers deal with such servers.

1. Firstly, we estimate the impact of hack, by analyzing the files and folders.

2. In case of hack, even if we restore from a server backup, the risk still remains. This is because, hackers still might be having back doors left open in the server. This would give them a chance to attack the server later. Hence, we always suggest customers to go for a complete server migration. This involves setting up a new server, perform hardening steps and then migrate contents from a clean backup.

[Do you know that our 24×7 proactive monitoring plan avoid these vulnerability attacks?]

 

Conclusion

To be precise, Exim4 vulnerability affects a major share of servers in hosting industry. It give root privileges to the attacker and the impact on the server become severe. Today, we saw the steps to check your server for vulnerability and how our Security Experts fix the risk.