Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Exim, a mail transfer agent (MTA), is a common target because servers that run MTA software are often exposed to the internet. Exploiting vulnerabilities in Exim is challenging if Exim is securely configured or if an attacker has only remote access to the server. But an attacker can gain complete control of the device, providing an entry point for additional attacks on your network.
Kill Chain
Risk Score
—
Exim is a MTA that runs on Unix and Linux servers. Exim has a vulnerability that enables an attacker to run arbitrary shell commands as root on a server hosting Exim. The attacker creates an SMTP connection to Exim and sends a request that contains more recipients in the address field than are allowed by the received_headers_max setting, which is set to 30 lines by default. The techniques for running malicious code depend on whether an attacker accesses the server locally or remotely. With local access, the malformed address causes an error state that enables the attacker to run the malicious code immediately on the server. With remote access, the request must wait to be processed by the server, and the wait time depends on the timeout_frozen_after setting, which is set to 7 days by default. When the server processes the request, the undeliverable message with the malformed address is bounced, and the malicious code runs.
Install relevant patches for Exim versions 4.87 through 4.91
Confirm that any changes to the default Exim configurations have not weakened security settings for the server
Implement strong authentication methods for SMTP servers
