Re: [bitfolk] Scans attempting to exploit CVE-2019-10149 hav…

Top Page
Author: Andy Smith
Date:  
To: users
Subject: Re: [bitfolk] Scans attempting to exploit CVE-2019-10149 have been in the wild for some days

Reply to this message
gpg: Signature made Sun Jun 23 05:53:38 2019 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi Keith,

On Sun, Jun 23, 2019 at 06:08:06AM +0100, Keith Williams wrote:
> I have just read up on this, after seeing this email. It appears that over
> 90% of exim4 servers are running vulnerable unpatched versions of the
> software.


I am surprised it's that much; most of my hosts are still Debian
jessie (oldstable) and that wasn't affected because too old. "Only"
versions 4.87 to 4.91 were affected.

> It seems that the best preventative step is to ensure that your exim is up
> to date running version >= 4.92. The only cure That I can see in the sites
> I have looked at is a complete nuking and format. This is a nasty brute


Yes; if you didn't upgrade exim within the first week or so of the
update being available you might want to reinstall as there is no
easy way to tell that you haven't been compromised. An attacker
could have deleted the evidence of their attack out of your
/var/log/exim4/mainlog.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting