Firmware upgrade MX 16.x

Aztec_Ninja
Getting noticed

Firmware upgrade MX 16.x

After updating the firmware on our MX to 16.15 we started recieving IDS alerts - SERVER-OTHER Exim unauthenticated remote code execution attempt.

 

Sophos has a similar problem but released a patch.  

 

Anyone else expencing the same issue with their MX?

 

13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal

I haven't seen that issue, but I don't think we have anyone using in house email anymore.  Everyone uses Office 365.

HaniAbuelkhair4
Getting noticed

No issues and again Everyone uses Office 365

tomas209ca
Getting noticed

i had these happened the last couple week and they have been going away. Biggest one i have now are mask-api.icloud.com

PDubs5150
Conversationalist

We have seen this too... have an open ticket with Meraki support.

Aztec_Ninja
Getting noticed

Any update from Meraki support? 

 

I have found this to be internal IDS Traffic alerts.  Seems like an IDS false positive.  Our IDS settings are set to prevention and security, curious if you're using the same?

 

PDubs5150
Conversationalist

We never got a satisfactory answer from Meraki... they basically passed the buck. We are still seeing some "allowed" traffic flagged under the Exim event, almost exclusively from Google and Amazon addresses. Continuing to review with another one of our security vendors.

jhopkins
Comes here often

Let us know what comes of it. Still trying to figure it out. I know Exim is SMTP traffic but its being triggered with TLS 1.2 connections. 

jhopkins
Comes here often

Any updates on this? I have a ticket open about the same thing. Some of them are triggered just communicating with Meraki's website. 

Aztec_Ninja
Getting noticed

My ticket was closed by meraki support.  Was told they are not security consultants.  

 

How did you track this down to communicating with Meraki website? 

 

jhopkins
Comes here often

Interesting that would be their response. I will see what they say. The IP is in the log so just traced it back to Meraki's IP. 

NBP
Conversationalist

I'm also suddenly receiving a bunch of these IDS alerts. Ours seemed to start after we added a second location/Meraki MX and configured a site-to-site VPN tunnel. The alerts are triggering on traffic traversing the site-to-site VPN tunnel, both on traffic destined to an internal server and outbound to the internet (AWS & Akamai addresses, etc).

jhopkins
Comes here often

Have you found why its being triggered or how to stop it besides Whitelist?

NBP
Conversationalist

No, I whitelisted the rule for now.

Get notified when there are additional replies to this discussion.