The Exim4 Bug Fallout

Exim4 is a popular open source email server often used by organizations using the Linux platform for their critical services. Version 4.69 of this package is vulnerable to a remote buffer overflow exploit that will give the attacker control of the user running the Exim4 software. This vulnerability was being exploited far before the software bug was discussed and fixed.

The most common exploit for this vulnerability relies on an initial large upload to the email server. This upload is over 50 megabytes in size, which is much larger than most acceptable emails. In fact, most email servers will reject emails larger than 10 megabytes.

By filtering on server port 25 (SMTP) and selecting client bytes at least 10 megabytes, we can find communications that are out of the ordinary for an email server. Here is a view from the session explorer:

Using the above filter we can quickly see that this exploit is being attempted by many systems all over the world, indicating a worm-like behavior. Before this attack became known, signature intrusion detection systems were unable to pick up on this. By selecting a timeframe of 3 or even 6 months back, we can see that this exploit has actually been around on for awhile! Check out the filter box:

Get Started

• Try FlowTraq
• Buy now

Learn More

• Schedule Call
• Watch video
• Read whitepaper

Free Flow Exporter

Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »