A security flaw in Exim mail servers could be exploited by local or remote attackers to execute arbitrary code with root privileges.
The Exim development team has addressed a vulnerability in Exim mail server, tracked as CVE-2019-15846, that could be exploited by local and remote attackers to execute arbitrary code with root privileges.
The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accept TLS connections. The vulnerability affects both GnuTLS and OpenSSL.
“A local or remote attacker can execute programs with root privileges.” reads the security advisory.
According to Shodan, over 5 million Exim mail servers are exposed on the Internet, most of them the United States.
According to Exim developers, the flaw could be exploited by an attacker sending a SNI ending in a backslash-null sequence during the initial TLS handshake.
“If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.”reads the advisory.
“The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake,”
Developers confirmed that the exploit exists as a POC, but pointed out that they are not aware of attacks in the wild that exploited the issue.
Researchers from Qualys have developed a proof-of-concept (PoC) exploit code for the flaw.
Below the timeline of the vulnerability:
- 2019-07-21 – Report from Zerons to firstname.lastname@example.org / Analysis by Qualys /Fix and tests
- 2019-09-02 – CVE assigned
- 2019-09-03 – Details to email@example.com, firstname.lastname@example.org / Grant access to the security repo
- 2019-09-04 – Heads-Up to email@example.com, firstname.lastname@example.org
- 2019-09-06 – 10.00 UTC Coordinated Release Date / Disclosure to oss-security, exim-users, public repositories
Possible mitigation consists of configuring the server to not accept TLS connections, but it is not recommended or adding rules to the access control list (ACL).
In June, security experts reported that millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions were under attack, threat actors were exploiting the CVE-2019-10149 flaw to take over them.
The critical vulnerability affected versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.
A few days later, malware researchers at Cybaze-Yoroi ZLAB observed many attack attempts trying to spread malware abusing the CVE-2019-10149 issue.