Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

Patch gap of over four years endangers Election Security

By Archis Gore

As the 2020 presidential election nears many are concerned about hackers influencing the vote.

According to a Cybersecurity Advisory from the National Security Agency (NSA) released May 2020, one of the main vulnerabilities (CVE-2019-10149) that Russian cyber actors have been exploiting since at least August 2019 is in Exim Mail Transfer Agent (MTA) software. The majority of the attacks exploit a buffer overflow vulnerability, which turned Exim’s own code against itself.

Notably, this vulnerability was born April 6th, 2016 with version 4.87 but the disclosure was not made until June 2019 along with a patch. During this three-year gap between the discovery of the vulnerability and the patch being released, users were unprotected and there was nothing to stop the attackers. As Polyverse outlined in our Identifying the True Patch Gap whitepaper, this is not unusual and patch gaps of over 7 years can exist.

Even though multiple security teams have now patched the MTA vulnerability, as of July 27th 2020, at least four US States are still using versions of Exim known to be targeted by cyber actors linked to the Russian military that interfered in prior United States elections. This highlights that there are clearly issues preventing users from applying patches in a timely way. Given that vulnerabilities will always exist, it is important that organizations have a way to ensure they are protected during any patch gap. One solution that could have provided that protection in this case is Polyverse Polymorphing.

Now intuitively, as well as demonstrably, Polymorphing stops fly-by attacks using these vulnerabilities. However, most attackers will not succeed on the first attempt. They will make a few mistakes. Whether you patch Exim or not, and whether you use Polymorphing or not, we have built an open-source tool to detect these attack attempts when they happen. A good first step would be to install Zerotect on all hosts running networked services: and see whether you’re being targeted.

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.