Fresh worm food

There was an absolute corker of a security vulnerability announced on Friday afternoon.  exim4, the mail processing program for Debian, allow unrestricted remote access to any server running it, and more than a thousand people on our network alone may be vulnerable.  From a deployment point of view, it’s absolutely the worst Linux-centred security problem I’ve ever seen.

What we’ve done about it so far:

  • fixed up ours and our managed hosting customers‘ mail servers Friday and yesterday;
  • written up a guide on how to handle it, and emailed it to all of our potentially vulnerable unmanaged customers;
  • built some patched exim4 packages for the "outdated" Debian etch that 200-odd of our customers are still running;
  • put together a scan detector which will feed our routers with a blacklist of people trying to exploit the issue (not sure how successful this will be, but if it saves one compromise, I’ll be happy).

It’s a terrible vulnerability firstly because it’s a remote root hole – you can get full access to any vulnerable server.  Secondly it’s in a really widely deployed, popular piece of mail processing software.  That is probably bad for us particularly because we’re quite a popular hosting company for Debian users.  These are the ingredients for a bad week at the office.

The only mitigating factor is that you need to send a 50MB payload to exploit the bug, which won’t be fast to do from a broadband line.

But vulnerable machines are more than likely going to be on hosting networks like ours.  Therefore I think it is only a matter of days before we see a new worm appear that will go from one vulnerable host to another, expanding some criminal’s botnet enterprise and eating bandwidth as it goes.  Someone doing a thorough job of it will not disrupt their targets’ normal operations, because a vulnerable mail server can send far more spam, or send more attack traffic – a much more valuable asset to a botnet operator than a crummy home PC.

I hope I’m extremely paranoid, but am gearing up for the worst.  If you run a Debian server, or otherwise use exim, get patching.  Two of our customers have already reported compromises, and I suspect they are just the observant ones.