back to article Exim-ergency! Unix mailer has RCE, DoS vulnerabilities

Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching. The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any …

  1. Anonymous Coward
    Anonymous Coward

    That MTA survey looks like bollocks to me. No way Microsoft have 0.8%. I would have expected more like 75%. The vast majority of companies use MS Exchange.

    1. Kiwi
      Trollface

      No way Microsoft have 0.8%.

      Agreed, email is to reliable to leave it to chance. I suspect that number is rather inflated. Maybe they got missed a "0" though even "0.08%" seems kinda high.

      But...

      Number of Servers that didn't respond

      That may be where a number of them were hiding. Forced updates killing the machines?

    2. Long John Brass

      survey bollocks

      Many shops run a Linux MTA(s) in front of thier MS Exchange servers to save them from the spam, viruses etc.

      Implementing grey-lists and tar-pits on internet facing machines is great fun :)

      1. Anonymous Coward
        Anonymous Coward

        Re: survey bollocks

        And if they don't themselves, they probably contract out to a 3rd-party spam filtering company that does!

      2. Anonymous Coward
        Anonymous Coward

        Re: survey bollocks

        > Many shops run a Linux MTA(s) in front of thier MS Exchange servers to save them from the spam, viruses etc.

        Or a firewall which understands SMTP, and either shows its own software name in the EHLO banner, or replaces the software name with asterisks.

        Anybody who puts an Exchange server directly on the unfiltered open Internet is mad.

        1. Anonymous Coward
          Anonymous Coward

          Re: survey bollocks

          "Anybody who puts an Exchange server directly on the unfiltered open Internet is mad."

          Less mad though than someone who puts an unfiltered Linux box on the open internet! There have been very very few critical vulnerabilities in Exchange over the last decade and those that there have been have had zero days in the wild without being patched.

    3. Maventi

      > The vast majority of companies use MS Exchange.

      Yes that is very true, although it's typically a user-facing groupware server as that is where it shines. As a straight MTA however, not so much as that isn't really the use case Exchange is designed for and it's a very bulky option for solely moving messages around behind the scenes.

      Most orgs will use Exchange for groupware in conjunction with other MTAs for processing and filtering inbound and outbound mail (often located in a controlled network segment like a DMZ).

      The 0.8% statistic does look strangely low, but when you consider that this survey was conducted in terms of Internet-facing services then it starts to look more realistic as I don't know of any orgs that currently present their Exchange SMTP services directly to the Internet.

      1. Pompous Git Silver badge

        "I don't know of any orgs that currently present their Exchange SMTP services directly to the Internet."
        Probably something you only do once. Back in the days when MS Small Business Server was at 4.0 the one I was managing was exploited a bug to allowing a spammer to use it for relaying. The fix was some weeks in coming and it took months to have the domain removed from the blacklists.

        1. Anonymous Coward
          Anonymous Coward

          "Probably something you only do once. Back in the days when MS Small Business Server was at 4.0 the one I was managing was exploited a bug to allowing a spammer to use it for relaying"

          That wouldn't have been via an SMTP exploit like this though. Not to mention that was on NT4.0 back in 1997! These days an internet facing Windows Server is way less likely to be hacked than an internet facing Linux box.

      2. david 12 Silver badge

        >As a straight MTA however, not so much as that isn't really the use case Exchange is designed for and it's a very bulky option for solely moving messages<

        ???? Like many people, we use something else for MTA, for cost and other reasons. But when you run Exchange as an MTA, you turn off all the rest of the system -- you don't have to run the mail store or other services when you just want an MTA. It's designed that way.

    4. Anonymous Coward
      Anonymous Coward

      The vast majority of companies use MS Exchange.

      Evidently not. Peeked at almost 24% 10 years ago. There's a big world outside the MS ecosystem.

      1. Anonymous Coward
        Anonymous Coward

        "Evidently not. Peeked at almost 24% 10 years ago."

        LOL I think not. People are still migrating from Notes to Exchange (hello HSBC) !

        Recent corporate figures from Gartner are 81% Exchange on premise, 9% O365 and < 5% Google Apps.

        1. Anonymous Coward
          Anonymous Coward

          Recent corporate figures from Gartner

          Gartner? *snigger*

          Sorry, I was quoting actual figures that have a published methodology, not wet-finger-in-the-air "Windows Mobile will take over the world" type guesses.

          Everything's a popularity contest with you.

          1. Anonymous Coward
            Anonymous Coward

            Everyone knows your claim of dropping from 24% 10 years ago is utter rubbish. Gartners figures are based on actual studies not a future estimate. If you think otherwise then how about a link? And ideally not from a decade ago!

        2. Anonymous Coward
          Anonymous Coward

          Lies, damned lies...

          ...and hundreds of thousands of cPanel & Ubuntu (I think) installations with Exim as the default MTA. That was the cause of the apparent rise in 'market' share over and above Sendmail. Postfix got a run in a similar way, by Exim being shifted to EPEL and Postfix made the default in RHEL6 and derivatives.

          The methodology is questionable, sure, but it's fairly popular amongst small server installs running packaged web management widgets on top.

          At enterprise level, there may be millions of machines but they're often hidden behind load balancers. Office365's infrastructure, for example, offers only 1 MX record resolving to 2 IPv4 addresses per hosted domain - but there are literally thousands of machines behind them.

    5. Anonymous Coward
      Anonymous Coward

      As always, beware of the survey methodology

      They use their web domain list to query for MX also - but that means many domains may be served by the same mail server when mail management is outsourced, which may be quite common especially for smaller businesses. I wonder if they deduplicated the data. But this a company that in its "web survey" still puts nginx in the "other" category while counting the number of Netscape/Zeus servers.

      Also:

      "Server banner identifies software in use 1,016,147 50.37%"

      Just half of the servers identified what software they use (which also means about half of the servers are managed by competent administrator that remove information that may just ease an attack - my servers don't tell anything about which software is answering).

      Anyway today most companies may route mail for an exchange server through appliances/forwarders to keep Exchange more secure, especially since an Exchange server is integrated into Active Directory, and stores a lot of critical information.

      For the same reason MS introduced the Edge Transport role, but it is more complex and expensive to setup to - and a non MS solution may also spare you the headaches of MS licensing....

      1. Anonymous Coward
        Anonymous Coward

        Re: As always, beware of the survey methodology

        "For the same reason MS introduced the Edge Transport role, but it is more complex and expensive to setup"

        No it isn't. It's REALLY easy and cheap to setup.

        All you need to do is install Windows Server and the Exchange Edge Server Role - in a completely standalone configuration. Then you generate an Edge config file on your Edge Server via a single command and then copy the XML file to an Exchange server and import it into your Exchange organisation via a single command - and then pretty much everything including highly secure certificate based Edge-Exchange connectivity and SMTP connectors, etc. is automatically established and configured for you!

    6. Anonymous Coward
      Anonymous Coward

      " I would have expected more like 75%."

      It's more like 90% of corporate users if you count Office 365.

  2. Anonymous Coward
    Anonymous Coward

    "As a straight MTA however, not so much as that isn't really the use case Exchange is designed for"

    Not true at all. Exchange has a highly secure and domain isolated Edge Server role that is specifically designed as an MTA. Most large exchange sites use that for Internet connectivity as it's a way lower risk of remote exploit and far easier to integrate and manage than a Linux MTA.

    However yes most enterprises these days front their own MTA with for instance Message Labs which is where these misleading low numbers come from.

  3. Anonymous Coward
    Anonymous Coward

    "as I don't know of any orgs that currently present their Exchange SMTP services directly to the Internet."

    I don't know of one that uses Exchange that doesn't connect Exchange SMTP to the Internet. Either via an Edge server or by allowing SMTP traffic to a standard Exchange server. In fact the vast majority of mail headers confirm this. It's only on inbound email they often use an external MTA like Message Labs!

  4. Outer mongolian custard monster from outer space (honest)

    If your here wasting time wondering about percentages of mta in use, why not just go and do the workaround pushing it through your internal QA processes as quickly as possible, and then patch it in a few days when its patched instead.

    RCE in a MTA is a classic way in, if anyone has been eyeing up your org as a juicy target, they might just have been waiting for this day for opportunity to knock. Best close that window asap.

    This post from the done_the_workaround_already dept of the obvious...

    1. Greem

      Having only recently switched on inbound chunking at $workplace, I turned it off again on Saturday afternoon after seeing PP's email to exim-announce.

      Appreciable effort: almost nil.

      The biggest risk here is for all the long-term installs which carry the same config file over and over, thus accepting config defaults each time for new features when they update. Hopefully (fingers crossed) there isn't a blitz of compromises to come...

  5. Anonymous Coward
    Anonymous Coward

    Serious question Time

    Ignoring security for the moment, why would you choose EXIM over postfix?

    1. Mike 'H'

      Re: Serious question Time

      cPanel's default MTA.

      How many webhosts use cPanel and also standardize on exim for non-cpanel servers, simply because of less to train employees on? A lot.

  6. Anonymous Coward
    Anonymous Coward

    Chunking seemed to be disabled by default on the version of Exim in Debian Stable.

    I've added the suggested config setting anyway, to be safe.

    1. Phil Endecott

      Confirmed, chunking is disabled by default in Debian Stable:

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882648

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022