Security Market Segment LS
Wednesday, 19 June 2019 08:47

Firm that found Exim bug says 'millions of attacks' claim unreliable Featured

Firm that found Exim bug says 'millions of attacks' claim unreliable Image by Mari Ana from Pixabay

Reports that millions of servers running the mail transport agent Exim are being attacked through a recently announced vulnerability are unreliable, a senior official from Qualys, the company that discovered the vulnerability, says.

These claims were made by a number of tech sites based on Exim version numbers which had been ascertained through the search engine Shodan. The original advisory from Qualys said the bug had been patched in version 4.92, while versions from 4.87 to 4.91 were vulnerable.

The vulnerability allows for remote command execution where an attacker could execute arbitrary commands as root.

Responding to queries from iTWire, Jimmy Graham, senior director of Product Management at Qualys, agreed that the claims were overblown, given that Shodan could not provide any indication as to whether the main configuration file of Exim had been changed – and that was a vital factor in determining how soon a server could be exploited.

Qualys was asked, "After all, the version number tells us nothing about changes made by a sysadmin in the Exim configuration file. Then again, there are Linux distributions like Debian which backport fixes for problems such as this – and in such cases, the version number does not reflect the fact that a patch has been applied.

"Hence, all the claims in various media that millions of Exim servers are being attacked based on the version numbers seen on Internet servers — which are obtained through a Shodan search — don't really stack up, do they?"

Graham said: "True: Based on the version numbers, it is impossible to know the number of Exim servers that are being *attacked*. Two reasons:

"It is impossible to know how many servers are *patched*. The only thing we know for sure is that all 4.92 servers *are* patched, but maybe all others are vulnerable, or maybe they are all patched (backported fixes); we do not know."

He added that among the vulnerable servers, it was impossible to know how many were *exploitable* by the current attacks/worms.

"As far as we know, the worms only use the 'instant' version of the exploit (non-default configs), not the seven-day version (default config), and the version number does not tell us whether the config is default or not."

It was pointed out to Qualys that the writer of the original advisory had been at pains to explain that attacking Exim set-ups which were running the default configuration were difficult to exploit through this bug.

Graham said: "It is not very difficult, it just takes a long time (seven days) – but this time is likely just waiting on a script which would be automated by an attacker for targeted attacks, or in a worm for spreading to any vulnerable hosts.

"The bug was published 2 weeks ago, and it’s likely that attackers may have started to exploit default configurations days ago and may reap what they sowed in a few hours."

Exim, one of the four MTAs commonly used on Unix servers, is developed by Phillip Hazel at the University of Cambridge. It is the default on some Linux distributions, like Debian.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments