Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Andy Smith]

Hello,

On Thu, Jun 20, 2019 at 08:45:13PM +0100, Brian wrote:
> At least 2000,000, hosts on the internet. You reckon you will be in
> the first tranche of targets?

I don't know about "amongst the first" but there are multiple
services scanning every port of the entire IPv4 space now and
selling access to the results, e.g. Shodan which has already been
mentioned. So the idea that you don't need to think about hostile
actors connecting to your service because you are 1 in 2bn or
whatever, is no longer sound.

For example, for over 10 years I have been putting ssh on a port
other than 22 where I able to do so, just to cut down on noise in my
logs since every hostile knew to check port 22. This year for the
first time I am finding that mass scanners have found my alternate
port and are now doing dictionary attacks against it.

This is because the aforementioned scanning services have scanned
every port of my hosts and are selling the information that my host
has what looks like an sshd on so and so port. The operators of
botnets are buying this information and setting their botnets to try
SSH on those alternate ports too.

So any new bad actor who wants to scan for this vulnerability is
just going to buy access to a list of every host on the Internet
that has an open port 25, maybe an open port 25 running the
vulnerable versions of Exim if that is offered. That will be a very
manageable list of IPs. They won't have to do the scanning
themselves.

This is only going to get worse.

I don't think it's security through obscurity to try to hide
yourself from the hostiles if you have already taken steps to
protect yourself and it's just to reduce the amount of noise. I
think it's only security through obscurity if you don't fix it, try
to hide and would get exploited if you were found.

Having said that, I am in full agreement that the correct thing to
do if concerned about the SMTP banner is to change the SMTP banner,
not change the version of the software.

I might even go further and try to find a way to identify and log
people trying this exploit, so that they can be dealt with the same
way persistent SSH dictionary attackers are.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Brian]

On Fri 21 Jun 2019 at 21:14:42 +1000, Andrew McGlashan wrote:

> On 21/6/19 4:08 pm, Reco wrote:
> > What I'm most interested is here is the time distribution. I.e. has
> > the number of exploitation attempts lowered after the Exim banner
> > change? Stayed the same?
> 
> Not a single one since, so far.
> 
> Although I did blacklist IP addresses.

I get the same outcome too when I blacklist offending IPs.

-- 
Brian.

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 21/6/19 4:08 pm, Reco wrote:
> What I'm most interested is here is the time distribution. I.e. has
> the number of exploitation attempts lowered after the Exim banner
> change? Stayed the same?

Not a single one since, so far.

Although I did blacklist IP addresses.

A.

-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQy8HAAKCRCoFmvLt+/i
+/lFAP44LFIbm+CfWGdHKjXgK5O7ehgzTUnRQzXgR1TMipqz5gEAlIV8sAF9wXZa
b+orcH4WobyYdGKGl5mKFWbd/QbC7gs=
=Bb7S
-END PGP SIGNATURE-

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Reco]

Hi.

On Fri, Jun 21, 2019 at 06:36:20AM +1000, Andrew McGlashan wrote:
> On 21/6/19 5:52 am, Reco wrote:
> > Plain old grep is more than enough here. This one:
> > 
> > grep 'run{' /var/log/exim4/reject*
> > 
> > finds things like these:
> > 
> > 2019-06-19 18:54:43 H=(service.com) [107.182.225.42]
> > F= rejected RCPT
> >  xxx.xxx.xxx\x22}}@localhost>:
> > Unrouteable address
> 
> Okay:
>  21 attempts from 8 different IP addresses on one server
>  1[163.172.157.143]
>  2[188.138.0.205]
>  3[23.129.64.152]
>  4[23.129.64.193]
>  5[27.69.172.214]
>  6[45.55.94.254]
>  7[51.15.227.108]
>  8[89.248.171.57]
> 
>  28 attempts on another server
>  1[149.56.142.192]
>  2[163.172.157.143]
>  3[188.138.0.205]
>  4[27.69.172.229]
>  5[51.15.227.108]
>  6[51.77.148.55]
>  7[85.58.114.228]
>  8[89.248.171.57]
> 
>  17 attempts on another server
>  1[188.138.0.205]
>  2[89.248.171.57]
>  3[98.158.184.125]
> 
> 
> 13 unique IP addresses so far (dig -x output)
> 
>  1149.56.142.192   192.ip-149-56-142.net.
>  2163.172.157.143  143-157-172-163.rev.cloud.scaleway.com.
>  3188.138.0.205static-ip-188-138-0-205.inaddr.ip-pool.com.
>  423.129.64.152
>  523.129.64.193
>  627.69.172.214localhost.
>  727.69.172.229localhost.
>  845.55.94.254
>  951.15.227.108108-227-15-51.rev.cloud.scaleway.com.
> 1051.77.148.55 55.ip-51-77-148.eu.
> 1185.58.114.228228.pool85-58-114.dynamic.orange.es.
> 1289.248.171.57scanner20.openportstats.com.
> 1398.158.184.125   206.217.215.125.static.midphase.com.

What I'm most interested is here is the time distribution.
I.e. has the number of exploitation attempts lowered after the Exim
banner change? Stayed the same?

Reco

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Michael Stone]

On Thu, Jun 20, 2019 at 10:50:08PM +0100, Brian wrote:

So? Looks like a normal day. Announcing exim as version 4.92 (or any
other value) is most unlikely to reduce the number of these attempts.


I'm seeing the same attempts on postfix servers...

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

On 21/6/19 4:49 am, Reco wrote:
>> Thank you, I've changed the banner for now let's hope that
>> lessens the problem.
> 
> Please share the results if possible.
> 
> On this particular MTA I've counted whopping 4 attempts to exploit 
> CVE-2019-10149 so far. One made from France, three from US. I'm
> kind of disappointed, I've expected half a million Chineese and 
> Russian bots at least ;)

I've got good logs, what is the easiest string to grep for in the logs
to see attempts? Or have you got a more fancy solution?

Thanks
AndrewM
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQviTwAKCRCoFmvLt+/i
+2e1AQCSxSt36JCCw6wxiuUryIIfE1VL4x5Yxi5SqXJpzcmYuQEAlkRfhQSCVQqV
KE8V7k4pvHVRHKBWdX1WqRku6CBYjQ8=
=tAiE
-END PGP SIGNATURE-

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Brian]

On Fri 21 Jun 2019 at 04:15:35 +1000, Andrew McGlashan wrote:

> On 20/6/19 11:57 pm, Brian wrote:
> > On Thu 20 Jun 2019 at 23:26:08 +1000, Andrew McGlashan wrote:
> > 
> >> # dpkg-query -l|grep \ exim|awk '{print $2,$3}'|column -t exim4
> >> 4.89-2+deb9u4 exim4-base  4.89-2+deb9u4 exim4-config
> >> 4.89-2+deb9u4 exim4-daemon-heavy  4.89-2+deb9u4 exim4-doc-html
> >> 4.89-1
> >> 
> >> Is there a way to provide version of "4.92" easily or some other
> >> text to stop the likelihood of outsiders trying to pound on and
> >> exploit the server? Even though they won't be able to do
> >> successfully due to up to date patch status.
> > 
> > You really, really think changing a version number increases or 
> > decreases the likelihood of automated server probes happening?
> 
> Yes, if "candidates" are chosen and then advertised to bots to go and
> do the work, instead of doing the work against any and every server,
> for sure.  If this was a quick and simple exploit, the answer would be
> no, but this exploit takes considerable time before a result is known
> or attained from the attempt.

At least 2000,000, hosts on the internet. You reckon you will be in
the first tranche of targets? That's apart from the completely inept and
unintelligent type of exploitation attack that is run.
> 
> > Doesn't doing this qualify as security through obscurity?
> 
> Yes, but sometimes that simply works.

How can it? As you say

 > Even though they won't be able to do successfully due to up to 
 > date patch status.

You acknowledge your mail server is safe. Are you in the business of
serving up FUD in spite of your updating and declaring the server to
be protected against this particular bug?

By all means alter smtp_banner. Much good will it do.

-- 
Brian.

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Reco]

Hi.

On Fri, Jun 21, 2019 at 04:40:11AM +1000, Andrew McGlashan wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> 
> 
> On 20/6/19 11:45 pm, Reco wrote:
> > Hi.
> > 
> > On Thu, Jun 20, 2019 at 11:26:08PM +1000, Andrew McGlashan wrote:
> >> Is there a way to provide version of "4.92" easily or some other
> >> text to stop the likelihood of outsiders trying to pound on and
> >> exploit the server? Even though they won't be able to do
> >> successfully due to up to date patch status.
> > 
> > # rgrep banner /etc/exim4/ 
> > /etc/exim4/conf.d/main/02_exim4-config_options:# smtp_banner =
> > $smtp_active_hostname ESMTP Exim $version_number $tod_full 
> > /etc/exim4/exim4.conf.template:# smtp_banner =
> > $smtp_active_hostname ESMTP Exim $version_number $tod_full
> > 
> > Replace v$version_number with 4.92 or set "smtp_banner" to whatever
> > you like.
> 
> Thank you, I've changed the banner for now let's hope that lessens
> the problem.

Please share the results if possible.

On this particular MTA I've counted whopping 4 attempts to exploit
CVE-2019-10149 so far. One made from France, three from US.
I'm kind of disappointed, I've expected half a million Chineese and
Russian bots at least ;)

Reco

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 20/6/19 11:45 pm, Reco wrote:
> Hi.
> 
> On Thu, Jun 20, 2019 at 11:26:08PM +1000, Andrew McGlashan wrote:
>> Is there a way to provide version of "4.92" easily or some other
>> text to stop the likelihood of outsiders trying to pound on and
>> exploit the server? Even though they won't be able to do
>> successfully due to up to date patch status.
> 
> # rgrep banner /etc/exim4/ 
> /etc/exim4/conf.d/main/02_exim4-config_options:# smtp_banner =
> $smtp_active_hostname ESMTP Exim $version_number $tod_full 
> /etc/exim4/exim4.conf.template:# smtp_banner =
> $smtp_active_hostname ESMTP Exim $version_number $tod_full
> 
> Replace v$version_number with 4.92 or set "smtp_banner" to whatever
> you like.

Thank you, I've changed the banner for now let's hope that lessens
the problem.

Besides the servers that I look after, it would help if others did the
same so as to lessen any "scare" campaigns based on false data from
Shodan.  Obviously many less servers are really vulnerable than the
figures are currently suggesting.

Kind Regards
AndrewM
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQvTBwAKCRCoFmvLt+/i
+5i6AQDTFMANdum/LJEdlO/YoWbU6Yq+/Fl72OGnWUdkI84riQD/V+QZV21/8cKw
Of9Ob0jKTdTBRPb6ys65dnuwjljH4lQ=
=yTQa
-END PGP SIGNATURE-

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 20/6/19 11:57 pm, Brian wrote:
> On Thu 20 Jun 2019 at 23:26:08 +1000, Andrew McGlashan wrote:
> 
>> # dpkg-query -l|grep \ exim|awk '{print $2,$3}'|column -t exim4
>> 4.89-2+deb9u4 exim4-base  4.89-2+deb9u4 exim4-config
>> 4.89-2+deb9u4 exim4-daemon-heavy  4.89-2+deb9u4 exim4-doc-html
>> 4.89-1
>> 
>> Is there a way to provide version of "4.92" easily or some other
>> text to stop the likelihood of outsiders trying to pound on and
>> exploit the server? Even though they won't be able to do
>> successfully due to up to date patch status.
> 
> You really, really think changing a version number increases or 
> decreases the likelihood of automated server probes happening?

Yes, if "candidates" are chosen and then advertised to bots to go and
do the work, instead of doing the work against any and every server,
for sure.  If this was a quick and simple exploit, the answer would be
no, but this exploit takes considerable time before a result is known
or attained from the attempt.

> Doesn't doing this qualify as security through obscurity?

Yes, but sometimes that simply works.

Kind Regards
AndrewM
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQvNQQAKCRCoFmvLt+/i
+7KGAQCEkZ/PhssYzKVsJI2yd/cT1B3RMXEAGqNn0vnt/JQxGAD/VPpHgN+rSUbU
Uw+XZdEOZ3kQxkykPGO9bfy8qJRjshc=
=Gs+8
-END PGP SIGNATURE-

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Brian]

On Thu 20 Jun 2019 at 23:26:08 +1000, Andrew McGlashan wrote:

> # dpkg-query -l|grep \ exim|awk '{print $2,$3}'|column -t
> exim4   4.89-2+deb9u4
> exim4-base  4.89-2+deb9u4
> exim4-config4.89-2+deb9u4
> exim4-daemon-heavy  4.89-2+deb9u4
> exim4-doc-html  4.89-1
> 
> Is there a way to provide version of "4.92" easily or some other text
> to stop the likelihood of outsiders trying to pound on and exploit the
> server? Even though they won't be able to do successfully due to up to
> date patch status.

You really, really think changing a version number increases or
decreases the likelihood of automated server probes happening?
Doesn't doing this qualify as security through obscurity?

-- 
Brian.

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Greg Wooledge]

On Thu, Jun 20, 2019 at 11:26:08PM +1000, Andrew McGlashan wrote:
> Shodan [1] reports loads of vulnerable [2] servers running pre 4.92
> versions of Exim, those include Debian Exim variants reporting 4.89
>  even for fully patched servers.

General answer:

https://www.debian.org/security/faq
(especially )

For this particular issue:

https://www.debian.org/security/2019/dsa-4456
https://security-tracker.debian.org/tracker/CVE-2019-10149

And the entry in the Debian changelog for the stretch package:

=
exim4 (4.89-2+deb9u4) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix remote command execution vulnerability (CVE-2019-10149)

 -- Salvatore Bonaccorso   Tue, 28 May 2019 22:13:55 +0200
=

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

[Reco]

Hi.

On Thu, Jun 20, 2019 at 11:26:08PM +1000, Andrew McGlashan wrote:
> Is there a way to provide version of "4.92" easily or some other text
> to stop the likelihood of outsiders trying to pound on and exploit the
> server? Even though they won't be able to do successfully due to up to
> date patch status.

# rgrep banner /etc/exim4/
/etc/exim4/conf.d/main/02_exim4-config_options:# smtp_banner = 
$smtp_active_hostname ESMTP Exim $version_number $tod_full
/etc/exim4/exim4.conf.template:# smtp_banner = $smtp_active_hostname ESMTP Exim 
$version_number $tod_full

Replace v$version_number with 4.92 or set "smtp_banner" to whatever you like.
Bounce exim.

Reco