Fresh worm food

There was an absolute corker of a security vulnerability announced on Friday afternoon.  exim4, the mail processing program for Debian, allow unrestricted remote access to any server running it, and more than a thousand people on our network alone may be vulnerable.  From a deployment point of view, it’s absolutely the worst Linux-centred security problem I’ve ever seen.

What we’ve done about it so far:

  • fixed up ours and our managed hosting customers‘ mail servers Friday and yesterday;
  • written up a guide on how to handle it, and emailed it to all of our potentially vulnerable unmanaged customers;
  • built some patched exim4 packages for the "outdated" Debian etch that 200-odd of our customers are still running;
  • put together a scan detector which will feed our routers with a blacklist of people trying to exploit the issue (not sure how successful this will be, but if it saves one compromise, I’ll be happy).

It’s a terrible vulnerability firstly because it’s a remote root hole – you can get full access to any vulnerable server.  Secondly it’s in a really widely deployed, popular piece of mail processing software.  That is probably bad for us particularly because we’re quite a popular hosting company for Debian users.  These are the ingredients for a bad week at the office.

The only mitigating factor is that you need to send a 50MB payload to exploit the bug, which won’t be fast to do from a broadband line.

But vulnerable machines are more than likely going to be on hosting networks like ours.  Therefore I think it is only a matter of days before we see a new worm appear that will go from one vulnerable host to another, expanding some criminal’s botnet enterprise and eating bandwidth as it goes.  Someone doing a thorough job of it will not disrupt their targets’ normal operations, because a vulnerable mail server can send far more spam, or send more attack traffic – a much more valuable asset to a botnet operator than a crummy home PC.

I hope I’m extremely paranoid, but am gearing up for the worst.  If you run a Debian server, or otherwise use exim, get patching.  Two of our customers have already reported compromises, and I suspect they are just the observant ones.

This entry was posted in Uncategorized by mbloch. Bookmark the permalink.

3 thoughts on “Fresh worm food

  1. Just got bitten by this :-( rkhunter failed to find anything, but chkrootkit and unhide both found a hidden “bash” process which lsof revealed to be a trojan dropbear sshd.

  2. Unfortunately detecting compromises is quite hard and I don’t know how to do it very reliably. There are root kit checkers but firstly, with new exploits, especially juicy ones like this, I’d expect to see new kinds of compromises. Secondly those checkers tend to give false alarms quite often, which make them a bit useless.

    The way *we* notice a compromise is that we get complaints about abusive traffic eminating from a customer’s box, and shut them down.

    In general if anything spooks you, and you’ve got reason to suspect a compromise, just reinstall.