A Vulnerability in Exim Could Allow for Remote Command Execution

ITS Advisory Number: 
2019-092
Date(s) Issued: 
Monday, September 9, 2019
Subject: 
A Vulnerability in Exim Could Allow for Remote Command Execution
Overview: 

OVERVIEW:

A vulnerability has been discovered in Exim, which could allow for unauthenticated remote attackers to execute arbitrary system commands when initiating TLS connections to affected mail servers. Local attackers can take advantage of this vulnerability as well through similar means. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:

Qualys researchers have analyzed the PoC exploit that triggers this vulnerability. However, the PoC exploit has not yet been made public. This vulnerability does not affect the latest version, Exim 4.92.2.

Systems Affected: 
  • Exim versions prior to 4.92.2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability has been discovered in Exim, which could allow for both local and unauthenticated remote attackers to execute arbitrary system commands when initiating a TLS handshake with mail server.

 

This vulnerability exists due to a buffer overflow vulnerability within the SMTP Delivery process of the mail servers default runtime configuration. A buffer overflow condition may occur when a local or unauthenticated remote user sends a crafted Server Name Indication (SNI) ending in a backslash-null sequence during the initial TLS handshake. Depending on the servers configuration, this vulnerability is also exploitable through sending a crafted client TLS certificate.

 

Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Exim to vulnerable systems.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.
References: 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15846

 

Tenable:

https://www.tenable.com/blog/cve-2019-15846-unauthenticated-remote-command-execution-flaw-disclosed-for-exim

 

Exim:

http://exim.org/static/doc/security/CVE-2019-15846.txt

https://www.exim.org/index.html

Office of Information Technology Services

Other Information

Language Access

Register to Vote

Sign up online or download and mail your application. Register Now