Exim-ergency! Unix mailer has RCE, DoS vulnerabilities Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching. The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any …
No way Microsoft have 0.8%.
Agreed, email is to reliable to leave it to chance. I suspect that number is rather inflated. Maybe they got missed a "0" though even "0.08%" seems kinda high.
But...
Number of Servers that didn't respond
That may be where a number of them were hiding. Forced updates killing the machines?
> Many shops run a Linux MTA(s) in front of thier MS Exchange servers to save them from the spam, viruses etc.
Or a firewall which understands SMTP, and either shows its own software name in the EHLO banner, or replaces the software name with asterisks.
Anybody who puts an Exchange server directly on the unfiltered open Internet is mad.
"Anybody who puts an Exchange server directly on the unfiltered open Internet is mad."
Less mad though than someone who puts an unfiltered Linux box on the open internet! There have been very very few critical vulnerabilities in Exchange over the last decade and those that there have been have had zero days in the wild without being patched.
> The vast majority of companies use MS Exchange.
Yes that is very true, although it's typically a user-facing groupware server as that is where it shines. As a straight MTA however, not so much as that isn't really the use case Exchange is designed for and it's a very bulky option for solely moving messages around behind the scenes.
Most orgs will use Exchange for groupware in conjunction with other MTAs for processing and filtering inbound and outbound mail (often located in a controlled network segment like a DMZ).
The 0.8% statistic does look strangely low, but when you consider that this survey was conducted in terms of Internet-facing services then it starts to look more realistic as I don't know of any orgs that currently present their Exchange SMTP services directly to the Internet.
"I don't know of any orgs that currently present their Exchange SMTP services directly to the Internet."Probably something you only do once. Back in the days when MS Small Business Server was at 4.0 the one I was managing was exploited a bug to allowing a spammer to use it for relaying. The fix was some weeks in coming and it took months to have the domain removed from the blacklists.
"Probably something you only do once. Back in the days when MS Small Business Server was at 4.0 the one I was managing was exploited a bug to allowing a spammer to use it for relaying"
That wouldn't have been via an SMTP exploit like this though. Not to mention that was on NT4.0 back in 1997! These days an internet facing Windows Server is way less likely to be hacked than an internet facing Linux box.
>As a straight MTA however, not so much as that isn't really the use case Exchange is designed for and it's a very bulky option for solely moving messages<
???? Like many people, we use something else for MTA, for cost and other reasons. But when you run Exchange as an MTA, you turn off all the rest of the system -- you don't have to run the mail store or other services when you just want an MTA. It's designed that way.
Lies, damned lies...
...and hundreds of thousands of cPanel & Ubuntu (I think) installations with Exim as the default MTA. That was the cause of the apparent rise in 'market' share over and above Sendmail. Postfix got a run in a similar way, by Exim being shifted to EPEL and Postfix made the default in RHEL6 and derivatives.
The methodology is questionable, sure, but it's fairly popular amongst small server installs running packaged web management widgets on top.
At enterprise level, there may be millions of machines but they're often hidden behind load balancers. Office365's infrastructure, for example, offers only 1 MX record resolving to 2 IPv4 addresses per hosted domain - but there are literally thousands of machines behind them.
They use their web domain list to query for MX also - but that means many domains may be served by the same mail server when mail management is outsourced, which may be quite common especially for smaller businesses. I wonder if they deduplicated the data. But this a company that in its "web survey" still puts nginx in the "other" category while counting the number of Netscape/Zeus servers.
Also:
"Server banner identifies software in use 1,016,147 50.37%"
Just half of the servers identified what software they use (which also means about half of the servers are managed by competent administrator that remove information that may just ease an attack - my servers don't tell anything about which software is answering).
Anyway today most companies may route mail for an exchange server through appliances/forwarders to keep Exchange more secure, especially since an Exchange server is integrated into Active Directory, and stores a lot of critical information.
For the same reason MS introduced the Edge Transport role, but it is more complex and expensive to setup to - and a non MS solution may also spare you the headaches of MS licensing....
"For the same reason MS introduced the Edge Transport role, but it is more complex and expensive to setup"
No it isn't. It's REALLY easy and cheap to setup.
All you need to do is install Windows Server and the Exchange Edge Server Role - in a completely standalone configuration. Then you generate an Edge config file on your Edge Server via a single command and then copy the XML file to an Exchange server and import it into your Exchange organisation via a single command - and then pretty much everything including highly secure certificate based Edge-Exchange connectivity and SMTP connectors, etc. is automatically established and configured for you!
"As a straight MTA however, not so much as that isn't really the use case Exchange is designed for"
Not true at all. Exchange has a highly secure and domain isolated Edge Server role that is specifically designed as an MTA. Most large exchange sites use that for Internet connectivity as it's a way lower risk of remote exploit and far easier to integrate and manage than a Linux MTA.
However yes most enterprises these days front their own MTA with for instance Message Labs which is where these misleading low numbers come from.
"as I don't know of any orgs that currently present their Exchange SMTP services directly to the Internet."
I don't know of one that uses Exchange that doesn't connect Exchange SMTP to the Internet. Either via an Edge server or by allowing SMTP traffic to a standard Exchange server. In fact the vast majority of mail headers confirm this. It's only on inbound email they often use an external MTA like Message Labs!
If your here wasting time wondering about percentages of mta in use, why not just go and do the workaround pushing it through your internal QA processes as quickly as possible, and then patch it in a few days when its patched instead.
RCE in a MTA is a classic way in, if anyone has been eyeing up your org as a juicy target, they might just have been waiting for this day for opportunity to knock. Best close that window asap.
This post from the done_the_workaround_already dept of the obvious...
Having only recently switched on inbound chunking at $workplace, I turned it off again on Saturday afternoon after seeing PP's email to exim-announce.
Appreciable effort: almost nil.
The biggest risk here is for all the long-term installs which carry the same config file over and over, thus accepting config defaults each time for new features when they update. Hopefully (fingers crossed) there isn't a blitz of compromises to come...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
