Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

To: debian-user@lists.debian.org
Subject: Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
From: Andy Smith <andy@strugglers.net>
Date: Sat, 22 Jun 2019 19:01:16 +0000
Message-id: <[🔎] 20190622190116.GI8410@bitfolk.com>
In-reply-to: <[🔎] 20062019202512.33d67cd4101f@desktop.copernicus.org.uk>
References: <[🔎] b764cc26-2353-2587-437f-8a2282adeda6@affinityvision.com.au> <[🔎] 20062019145044.3a52668d0636@desktop.copernicus.org.uk> <[🔎] cbefe829-6095-304a-e1d2-bf81fe14fffa@affinityvision.com.au> <[🔎] 20062019202512.33d67cd4101f@desktop.copernicus.org.uk>

Hello,

On Thu, Jun 20, 2019 at 08:45:13PM +0100, Brian wrote:
> At least 2000,000,0000 hosts on the internet. You reckon you will be in
> the first tranche of targets?

I don't know about "amongst the first" but there are multiple
services scanning every port of the entire IPv4 space now and
selling access to the results, e.g. Shodan which has already been
mentioned. So the idea that you don't need to think about hostile
actors connecting to your service because you are 1 in 2bn or
whatever, is no longer sound.

For example, for over 10 years I have been putting ssh on a port
other than 22 where I able to do so, just to cut down on noise in my
logs since every hostile knew to check port 22. This year for the
first time I am finding that mass scanners have found my alternate
port and are now doing dictionary attacks against it.

This is because the aforementioned scanning services have scanned
every port of my hosts and are selling the information that my host
has what looks like an sshd on so and so port. The operators of
botnets are buying this information and setting their botnets to try
SSH on those alternate ports too.

So any new bad actor who wants to scan for this vulnerability is
just going to buy access to a list of every host on the Internet
that has an open port 25, maybe an open port 25 running the
vulnerable versions of Exim if that is offered. That will be a very
manageable list of IPs. They won't have to do the scanning
themselves.

This is only going to get worse.

I don't think it's security through obscurity to try to hide
yourself from the hostiles if you have already taken steps to
protect yourself and it's just to reduce the amount of noise. I
think it's only security through obscurity if you don't fix it, try
to hide and would get exploited if you were found.

Having said that, I am in full agreement that the correct thing to
do if concerned about the SMTP banner is to change the SMTP banner,
not change the version of the software.

I might even go further and try to find a way to identify and log
people trying this exploit, so that they can be dealt with the same
way persistent SSH dictionary attackers are.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

References:
- Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Brian <ad44@cityscape.co.uk>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: Only Download Packages via Wi-Fi if Total Download Size Over 100 MB
Next by Date: Re: IPv4 v IPv6
Previous by thread: Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
Next by thread: Please consider unblocking Chromium and linux packages for Buster
Index(es):
- Date
- Thread