Updated on June 19, 2019 - New detection information added
On June 3, 2019, some information came to light about a critical vulnerability (CVE-2019-10149) in the popular mail transfer agent (MTA) Exim on the Open Source Security (OSS) mailing list which highlighted a remote code execution (RCE) vulnerability in versions 4.87 through 4.91.
On June 14, 2019, it was also reported by Microsoft MSRC that an active Linux worm leveraging this vulnerability may be in the wild.
Trend Micro also has a more indepth blog on the issue here: Hacker Groups Pounce on Millions of Vulnerable Exim Servers.
The vulnerability has been patched in version 4.92, which is currently available.
In addition, the maintainers for Exim have announced a public fix for the vulnerability which can be backported to all affected versions (4.87 - 4.91), although these are now technically said to be no longer officially supported.
Trend Micro Recommendation and Solutions
As with any vulnerability, Trend Micro highly recommends that users apply all critical patches and fixes that vendors provide for security issues as soon as possible. These patches will provide the strongest level of defense against any potential attacks.
Fortunately, Trend Micro has analyzed the information to see if proactive protection rules and filters may be created to help protect against potential attacks, and has deployed the following:
|Deep Security||Intrusion Prevention Rule||1009797 - Exim 'deliver_message' Command Injection Vulnerability (CVE-2019-10149)|
|TippingPoint||DigitalVaccine (DV) Filter||35520: SMTP: Exim Internet Mailer Command Injection Vulnerability|
|Anti-Malware Products||Pattern File Detection||Trojan.SH.MIXBASH.A|