CVE-2019-15846 Exim mail server flaw allows Remote Code Execution

A security flaw in Exim mail servers could be exploited by local or remote attackers to execute arbitrary code with root privileges.

The Exim development team has addressed a vulnerability in Exim mail server, tracked as CVE-2019-15846, that could be exploited by local and remote attackers to execute arbitrary code with root privileges.

The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accept TLS connections. The vulnerability affects both GnuTLS and OpenSSL.

“A local or remote attacker can execute programs with root privileges.” reads the security advisory.

According to Shodan, over 5 million Exim mail servers are exposed on the Internet, most of them the United States.

According to Exim developers, the flaw could be exploited by an attacker sending a SNI ending in a backslash-null sequence during the initial TLS handshake.

“If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.”reads the advisory.

“The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake,”

Developers confirmed that the exploit exists as a POC, but pointed out that they are not aware of attacks in the wild that exploited the issue.

Researchers from Qualys have developed a proof-of-concept (PoC) exploit code for the flaw.

Below the timeline of the vulnerability:

  • 2019-07-21 – Report from Zerons to / Analysis by Qualys /Fix and tests
  • 2019-09-02 – CVE assigned
  • 2019-09-03 – Details to, / Grant access to the security repo
  • 2019-09-04 – Heads-Up to,
  • 2019-09-06 – 10.00 UTC Coordinated Release Date / Disclosure to oss-security, exim-users, public repositories

Possible mitigation consists of configuring the server to not accept TLS connections, but it is not recommended or adding rules to the access control list (ACL).

In June, security experts reported that millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions were under attack, threat actors were exploiting the CVE-2019-10149 flaw to take over them.

The critical vulnerability affected versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

A few days later, malware researchers at Cybaze-Yoroi ZLAB observed many attack attempts trying to spread malware abusing the CVE-2019-10149 issue.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase