Critical Exim flaw exploitable locally and remotely, patch ASAP!

A critical vulnerability in Exim, the mail transfer agent (MTA) deployed on over half of all Internet-facing mail servers, may allow attackers to run commands as the “root” user.


About CVE-2019-10149

CVE-2019-10149 was discovered by Qualys researchers. It is a remote command execution vulnerability that is exploitable instantly by a local attacker and by a remote attacker in certain non-default configurations.

“The vulnerability is critical: it allows a local user to easily run commands as root due to an issue in the deliver message code – a local user apparently can just send an e-mail to the address ${run{…}@localhost (where localhost is one of Exim’s local domains) and get the command executed as root,” SANS ISC handler Bojan Zdrnja noted.

Qualys researchers say that, to remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (e.g., by transmitting one byte every few minutes).

“However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist,” they added.

“Exim is vulnerable by default since version 4.87 (released on April 6, 2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on February 10, 2019).”

The Exim maintainers have fixed the vulnerability in that last version without being aware of it, and have now provided patches for the vulnerable earlier versions, although they did point out that those are considered to be outdated and not supported by the developers anymore.


“Shodan search results show over 4.1 million systems running versions of Exim that are considered vulnerable (4.87-4.91), while 475,591 are running the latest patched version (4.92), Tenable researchers warned.

“In other words, nearly 90% of systems with Exim are vulnerable to local exploitation and potentially to remote exploitation based on the configuration.”


Qualys initially released only vulnerability details, but their advisory now also provides exploitation details.

Exim maintainers said on Thursday that they received a report of a possible remote exploit, but that there is currently “no evidence of an active use of this exploit.”

It is expected that attackers will soon come up with a working exploit, so server administrators are urged to upgrade Exim to version 4.92 or apply the patches on the older versions.

Don't miss