Linux worm infects Azure installations through Exim vulnerability

Microsoft warned users about a new worm for Linux that spreads through Exim mail servers. According to experts, malware has already compromised a number of Azure installations.

The problem affects Exim versions from 4.87 to 4.91 and allows an unauthorized attacker remotely executing arbitrary commands on mail servers with certain (non-factory) configuration settings. Although the vulnerability was fixed in February of this year with the release of Exim 4.92, many servers are still vulnerable.

«MSRC (Microsoft Security Response Center) confirmed presence of an active worm for Linux, which uses the critical remote execution vulnerability CVE-2019-10149 in Linux Exim mail servers with Exim versions from 4.87 to 4.91. The vulnerability does not affect Azure users with Exim 4.92 version installed on virtual machines”, – according to a Microsoft notification.

In order to protect itself against possible cyberattacks, company strongly recommends that users update their operating systems on their Azure virtual machines.

There is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’ malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker’s IP Address is permitted through Network Security Groups.

“It is for these reasons that we strongly advise that all affected systems – irrespective of whether NSGs are filtering traffic or not – should be updated as soon as possible”, — insist Microsoft specialists.

Source: https://blogs.technet.microsoft.com