11.Locks IsometricPattern Esm W900

Exim may be the Internet’s most popular email server, but the MTA’s recent history with security vulnerabilities is concerning to say the least. This past Friday, the Exim team warned about a critical flaw in its software, affecting all Exim servers running version 4.92.1 and before. When exploited, the bug enables attackers to run malicious code with root privileges. Exim released version 4.92.2 on Friday, September 6, to address the issue, and recommends that users running a prior version of Exim update immediately.

Although this critical vulnerability appeared in the media only a few days ago, it is not a new threat. In fact, the bug was first reported in early July by a security researcher named Zerons, and was secretly patched by the Exim team. 

To make matters worse for Exim and its users, a new strain of ransomware dubbed Lilocked (or Lilu for short), which was discovered by security researcher Michael Gillespie, has been infecting Linux-based servers running either a vulnerable version of the Exim MTA or a compromised WordPress blog since mid-July. The rate of these infections has increased significantly over the past two weeks. Lilocked is a privilege escalation attack: the exploit results in an attacker obtaining “super user” privileges, and thus gaining complete access to a compromised system. Because the initial entry point for the Lilocked ransomware is currently unknown, it is impossible to offer specific advice on how users can protect themselves. However, Linux server owners are advised to keep applications updated with security patches and to use unique passwords for all of their accounts.

In the context of these recent vulnerabilities and exploits, it is easy to label Linux and Open Source as “vulnerable” or “insecure”. However, doing so is unfair as well as incorrect. Unlike Windows and MacOS, Linux is a multi-user environment (a characteristic that the OS inherited from Unix) where users are granted specific privileges. This design prevents the compromise of one user account from impacting an entire system. In order to gain control over a Linux system, malware would have to gain root access to the system. 


Vulnerabilities exist in every system, and in terms of security vulnerabilities, Linux has a relatively clean record when compared to other popular operating systems. In the words of Linux creator Linus Torvalds, “Given enough eyeballs, all bugs are shallow”. Because of the intense review that Linux is continuously undergoing from security experts in the Open Source community, vulnerabilities are quickly identified and fixed. Because of this, as well as the way in which Linux manages privileges, relatively few viruses and worms are written to attack Linux systems. In comparison, proprietary operating systems like Microsoft Windows are easy targets for malicious coders, making them frequent victims of malware and viruses. This year, a total of 700 vulnerabilities in Microsoft Windows were disclosed, 189 of which were classified as critical.

Exim, however, is a notoriously insecure mail server. In spite of this, it has a market share of over 57 percent, due to the fact that the MTA has been bundled with many Linux distros, including Debian and Red Hat. Thus, the frequent security bugs and exploits involving Exim affect a large number of Linux users, but are not a reflection of the inherent security of the Linux OS.

If your company uses Exim and is concerned about the mailer’s security posture, you may want to look into Postfix. Postfix was designed by Wietse Venema at IBM Thomas J. Watson Research Center as a secure alternative to the popular but vulnerable Sendmail program. In addition to being highly secure, Postfix is fast and easy to administer. Postfix is currently the second most widely used mail server (after Exim), with a market share of over 34 percent.

Have you been affected by the recent Exim vulnerability or the Lilocked ransomware outbreak? Are you concerned about the security of your system? Please do not hesitate to reach out and share your story. The members of the LinuxSecurity team will do our best to offer advice and help out in any way that we can.