These claims were made by a number of tech sites based on Exim version numbers which had been ascertained through the search engine Shodan. The original advisory from Qualys said the bug had been patched in version 4.92, while versions from 4.87 to 4.91 were vulnerable.
The vulnerability allows for remote command execution where an attacker could execute arbitrary commands as root.
Responding to queries from iTWire, Jimmy Graham, senior director of Product Management at Qualys, agreed that the claims were overblown, given that Shodan could not provide any indication as to whether the main configuration file of Exim had been changed - and that was a vital factor in determining how soon a server could be exploited.
"Hence, all the claims in various media that millions of Exim servers are being attacked based on the version numbers seen on Internet servers — which are obtained through a Shodan search — don't really stack up, do they?"
Graham said: "True: Based on the version numbers, it is impossible to know the number of Exim servers that are being *attacked*. Two reasons:
"It is impossible to know how many servers are *patched*. The only thing we know for sure is that all 4.92 servers *are* patched, but maybe all others are vulnerable, or maybe they are all patched (backported fixes); we do not know."
He added that among the vulnerable servers, it was impossible to know how many were *exploitable* by the current attacks/worms.
"As far as we know, the worms only use the 'instant' version of the exploit (non-default configs), not the seven-day version (default config), and the version number does not tell us whether the config is default or not."
It was pointed out to Qualys that the writer of the original advisory had been at pains to explain that attacking Exim set-ups which were running the default configuration were difficult to exploit through this bug.
Graham said: "It is not very difficult, it just takes a long time (seven days) – but this time is likely just waiting on a script which would be automated by an attacker for targeted attacks, or in a worm for spreading to any vulnerable hosts.
"The bug was published 2 weeks ago, and it’s likely that attackers may have started to exploit default configurations days ago and may reap what they sowed in a few hours."