After updating the firmware on our MX to 16.15 we started recieving IDS alerts - SERVER-OTHER Exim unauthenticated remote code execution attempt.
Sophos has a similar problem but released a patch.
Anyone else expencing the same issue with their MX?
I haven't seen that issue, but I don't think we have anyone using in house email anymore. Everyone uses Office 365.
No issues and again Everyone uses Office 365
i had these happened the last couple week and they have been going away. Biggest one i have now are mask-api.icloud.com
We have seen this too... have an open ticket with Meraki support.
Any update from Meraki support?
I have found this to be internal IDS Traffic alerts. Seems like an IDS false positive. Our IDS settings are set to prevention and security, curious if you're using the same?
We never got a satisfactory answer from Meraki... they basically passed the buck. We are still seeing some "allowed" traffic flagged under the Exim event, almost exclusively from Google and Amazon addresses. Continuing to review with another one of our security vendors.
Let us know what comes of it. Still trying to figure it out. I know Exim is SMTP traffic but its being triggered with TLS 1.2 connections.
Any updates on this? I have a ticket open about the same thing. Some of them are triggered just communicating with Meraki's website.
My ticket was closed by meraki support. Was told they are not security consultants.
How did you track this down to communicating with Meraki website?
Interesting that would be their response. I will see what they say. The IP is in the log so just traced it back to Meraki's IP.
I'm also suddenly receiving a bunch of these IDS alerts. Ours seemed to start after we added a second location/Meraki MX and configured a site-to-site VPN tunnel. The alerts are triggering on traffic traversing the site-to-site VPN tunnel, both on traffic destined to an internal server and outbound to the internet (AWS & Akamai addresses, etc).
Have you found why its being triggered or how to stop it besides Whitelist?
No, I whitelisted the rule for now.