Recently I noticed a report of an alleged remote root security compromise of a machine, via the exim mailserver.
At the time I wasn't sure how seriously to take it, but I followed updates on the thread and it soon became clear that there was a major problem on our hands.
It later became obvious that there were two problems:
- CVE-2010-4344
A remote buffer overflow, allowing the execution of arbitrary code as the user Debian-exim.
- CVE-2010-4345
A privilege escelation allowing the attacker to jump from running code as Debian-exim to running code as root.
Trivial exploits are floating around the internet - and we were seeing this bug be exploited in the wild as early as yesterday afternoon.
Although I can feel somewhat smug that my own personal server is running qpsmtpd ahead of exim it's still a wake-up call, and this hole has the potential to significantly expand available botnets - it is probably only a matter of days hours until we see worms taking advantage of the flaw.
ObPlug: I've put together an updated version of exim4 for etch - if you're still running etch then you don't have any official security support (timely upgrading is obviously preferred) and it might be useful to have more folk pointed at that..
ObQuote: "We're all going to die down here" - Resident Evil.
Tags: compromises, exim, exim4, security 7 comments