Critical Exim flaw opens servers to remote code execution, patch now!

The Exim mail transfer agent (MTA) is impacted by a critical vulnerability that may allow local or unauthenticated remote attackers to execute programs with root privileges on the underlying system.

exim CVE-2019-15846

About Exim

Exim is the most widely used MTA today and is deployed on over half of all Internet-facing mail servers.

It’s efficient, highly configurable, bundled with most Unix-like systems – and free.

About the vulnerability

CVE-2019-15846 affects Exim versions 4.80 to (and including) 4.92.1. A server will be vulnerable only if it accepts TLS connection.

Exim installations do not come with TLS support enabled by default, but those that are bundled with the various Linux distributions do.

CVE-2019-15846 is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake, Exim maintainers explained.

The vulnerability has been fixed in Exim version 4.92.2, to which users are urged to upgrade. If they can’t, they can ask your package maintainer for a version containing the backported fix.

“On request and depending on our resources we will support you in backporting the fix,” the project maintainers added. “Please note, the Exim project officially doesn’t support versions prior the current stable version.”

They also offered several mitigations:

  • Do not to offer TLS (not recommended), and
  • Add specific rules to the mail access-control list (ACL) to prevent the currently known attack vector.

Ubuntu and Debian have already released updated distro or Exim packages. All production versions of cPanel & WHM have also been patched.

How likely is a wide exploitation of the flaw?

Similarly critical vulnerabilities affecting Exim were disclosed earlier this year. Attackers started exploiting one of them (CVE-2019-10149) a week after it’s existence was publicly revealed.

Exim maintainers say that a PoC exploit for CVE-2019-15846 exists, though it’s still not widely accessible. Though, according to Qualys researchers, who analyzed the vulnerability reported by a researcher that goes by “Zerons”, other exploitation methods may exist.

It’s hard to say just how many Internet-facing, Exim-running servers are out there and how many of them are vulnerable. Security Space puts the number around half a million, Shodan says there are over 5 million. Most of them likely still run a vulnerable version.

If your servers are among them, upgrade or patch quickly.