I’m willing to bet that you heard the phrase “Mistakes happen” quite a bit throughout childhood. That’s because it’s true, we all make mistakes, especially as kids, but it’s also expected that after you make a mistake once, you don’t make the same mistake twice.
Apparently, this lesson doesn’t carry into adulthood, because quite a few mistakes are taking place security-wise and it’s exhausting. Today’s mistake? Servers.
Recently, open-source email server Exim ran into quite the problem when a security exploit was found and still runs amok on many machines today.
1. The Flaw in the Past
The security flaw that Exim is experiencing has actually been an issue since April 2016 in sever version 4.87. A security problem running over two years is bad business, but if Google can do it then I guess it’s fine for other companies.
The security issue comes in the form of an exploit, a trick that takes advantage of a weakness in a system. All a hacker would need to do is find a machine using Exim that uses it’s default settings (something that is extremely common in the I.T world), send an email to a certain email address, and that’s it. From then on, the attacker can essentially act as administrator, running commands that only top-level professionals would be able to use. And the even worse news is that attackers can do some of this remotely.
I want to clarify the widespread nature of this exploit. This isn’t one or two servers in a company; Exim is sued for millions of servers across the world, more than 3 million being used in the U.S alone.
2. “Quickly” Fixing the Issue
There is some good news to this story. Exim developers commented that they were aware of this exploit and patched it in version 4.92, released in February of 2019. Yep, it only took almost two years, but it was fixed.
While this might be good for newer servers and machines that sue Exim, the vulnerability is still a huge issue for millions of machines. Shodan shows that almost 5 million machines are running a vulnerable version of Exim.
With Exim having a market share of 57% of mail servers, this exploit is an abhorrent case of neglection of security. With this exploit being revealed to the world, this neglect will start to show as servers become victim to attacks. If the administrators of these machines don’t patch them, it could be catastrophic for millions of users. Personal information, sensitive emails, all stolen by a hacker with low-level clearance.
3. A Track Record
I wish I could defend Exim and say this is their first mistake and that it’s ok, but it’s really not. Never announcing an exploit as dangerous as it is and waiting a year and a half to patch it is unacceptable for a company as big as them, and it’s not like consumers could do anything. This isn’t something that simple use of VPN software could fix. This goes all the way to the top. And this isn’t even their first security flaw!
In February, the decoding used in Exim servers allowed for overwriting of critical data on their servers. When faced with controversy, Exim responded that they were “unsure about the severity, we believe an exploit is difficult.” Patches were made, but it was a slow roll-out, apparently not an urgent matter for Exim.
I’ve written a lot about companies and their security flaws, and I do believe that mistakes can happen through situations no one could think about at the time or oversight that I would’ve probably made. But when you’re the number one e-mail server in the world, you need to have a sense of urgency about your mistakes. If you make a mistake, it’s on you to fix it, and waiting a year and a half for the problem to go away is asking for trouble.