Microsoft Warns Azure Users To Patch Linux VMs Now To Thwart Exim Worm Security Threat

If you're an Azure customer running Linux Exim email servers, then Microsoft has a warning for you. Over the weekend, it was disclosed that Linux servers numbering in the millions were vulnerability to a critical security vulnerability in the Exim mail transport agent, also known as MTA.

At last count roughly 3.5 million servers were susceptible to a remote execution Linux worm attack according to Cybereason, with the primary attack vector being a coin miner payload (which can present itself in multiple stages). The vulnerability was first disclosed in CVE-2019-10149 on June 5th

Microsoft is warning Azure customers that while Exim 4.92 is not affected, Azure customers running virtual machines with earlier versions of Exim should be vigilant to help stop the spread of the worm.

"Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs," writes Microsoft. "As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.

"We strongly advise that all affected systems – irrespective of whether NSGs are filtering traffic or not – should be updated as soon as possible."


What makes this new worm so pervasive is that once the crypto miner payload and port scanner are downloaded and activated, it will actively look out for other vulnerable servers so that it can further propagate. However, as long as you're running Exim 4.92, you should be protected against this worm.

"It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm," Cybereasonadds. "They used hidden services on the TOR network to host their payloads and created deceiving windows icon files in an attempt to throw off researchers and even system administrators who are looking at their logs."

For its part, the developers behind Exim have issued their own response to this slippery worm. "A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87," reads an Exim patch note on CVE-2019-10149. "The severity depends on your configuration.  It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better."

Exim servers account for nearly 60 percent of the email servers on the internet, and affected versions include versions 4.87 through 4.91.