Following the NSA’s warning that a Russian hacker group has been exploiting a known vulnerability in Exim, please find commentary from Industry leader.
The NSA’s revelation that a Russian military group is targeting an open source vulnerability – reported nearly a year ago – is an extreme example of what can happen when businesses don’t practice proper software hygiene.
With as many as 57% of publicly reachable mail-servers on the Internet using Exim, if businesses are using unpatched versions, the scale of attacks could be huge. The flaw has been listed on National Vulnerability Database since 2019, and safe versions are available, so in theory, companies should be protected. But theory and practice are sadly very different, and all too often companies fail to fix faults in their software.
The incident once again brings software hygiene to the fore, and underscores the urgent need for businesses to maintain a software ‘bill of materials’ to manage, track and monitor components in their applications, and to identify, isolate, and remove vulnerabilities like this one. Without one, they’re in a race against time to try and find the flaw before their adversaries do. Yet worryingly, only 53% of organisations track what’s going into their software.
Companies using Exim must patch their software urgently to prevent a breach. However, it’s important that as an industry, we recognise that these kinds of attacks aren’t isolated events. Vulnerabilities that are known, but older, are prime targets for attack campaigns – companies without open source practices may forget such flaws exist. But hackers won\’t. This latest incident shows that it has become open season on open source, and until software supply chain security best practices becomes commonplace, hacker groups will continue to target such applications.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics