There was an absolute corker of a security vulnerability announced on Friday afternoon. exim4, the mail processing program for Debian, allow unrestricted remote access to any server running it, and more than a thousand people on our network alone may be vulnerable. From a deployment point of view, it’s absolutely the worst Linux-centred security problem I’ve ever seen.
What we’ve done about it so far:
- fixed up ours and our managed hosting customers‘ mail servers Friday and yesterday;
- written up a guide on how to handle it, and emailed it to all of our potentially vulnerable unmanaged customers;
- built some patched exim4 packages for the "outdated" Debian etch that 200-odd of our customers are still running;
- put together a scan detector which will feed our routers with a blacklist of people trying to exploit the issue (not sure how successful this will be, but if it saves one compromise, I’ll be happy).
It’s a terrible vulnerability firstly because it’s a remote root hole – you can get full access to any vulnerable server. Secondly it’s in a really widely deployed, popular piece of mail processing software. That is probably bad for us particularly because we’re quite a popular hosting company for Debian users. These are the ingredients for a bad week at the office.
The only mitigating factor is that you need to send a 50MB payload to exploit the bug, which won’t be fast to do from a broadband line.
But vulnerable machines are more than likely going to be on hosting networks like ours. Therefore I think it is only a matter of days before we see a new worm appear that will go from one vulnerable host to another, expanding some criminal’s botnet enterprise and eating bandwidth as it goes. Someone doing a thorough job of it will not disrupt their targets’ normal operations, because a vulnerable mail server can send far more spam, or send more attack traffic – a much more valuable asset to a botnet operator than a crummy home PC.
I hope I’m extremely paranoid, but am gearing up for the worst. If you run a Debian server, or otherwise use exim, get patching. Two of our customers have already reported compromises, and I suspect they are just the observant ones.