After updating the firmware on our MX to 16.15 we started recieving IDS alerts - SERVER-OTHER Exim unauthenticated remote code execution attempt.
Sophos has a similar problem but released a patch.
Anyone else expencing the same issue with their MX?
Any update from Meraki support?
I have found this to be internal IDS Traffic alerts. Seems like an IDS false positive. Our IDS settings are set to prevention and security, curious if you're using the same?
We never got a satisfactory answer from Meraki... they basically passed the buck. We are still seeing some "allowed" traffic flagged under the Exim event, almost exclusively from Google and Amazon addresses. Continuing to review with another one of our security vendors.
Let us know what comes of it. Still trying to figure it out. I know Exim is SMTP traffic but its being triggered with TLS 1.2 connections.
My ticket was closed by meraki support. Was told they are not security consultants.
How did you track this down to communicating with Meraki website?
Interesting that would be their response. I will see what they say. The IP is in the log so just traced it back to Meraki's IP.
I'm also suddenly receiving a bunch of these IDS alerts. Ours seemed to start after we added a second location/Meraki MX and configured a site-to-site VPN tunnel. The alerts are triggering on traffic traversing the site-to-site VPN tunnel, both on traffic destined to an internal server and outbound to the internet (AWS & Akamai addresses, etc).