If exploited, Exim security flaw could allow attackers to run arbitrary commands on vulnerable mail servers
Exim, the popular mail transfer agent (MTA) software, contains a critical-rated vulnerability that can, in certain scenarios, allow remote attackers to execute commands of their choosing on unpatched mail servers. discovered by Qualys researchers.
Tracked under CVE-2019-10149, the remote command execution flaw affects Exim 4.87 to 4.91 installations. The bug was fixed with the latest version (4.92) of the open source software, although by all accounts unknowingly. According to Qualys, the problem “was not identified as a security vulnerability” when the latest version was released in February.
The software, responsible for transferring messages from one computer to another, is installed on a large part of the mail servers visible online. Over 95% of them seem to be running one of the oldest and most vulnerable versions of Exim.
According to Qualys, the bug could allow attackers to run commands on a vulnerable Exim server as the root user and effectively take it over.
The vulnerability is “trivially exploitable” by a local attacker, even with a low-privilege account. Perhaps more worryingly, however, remote exploitation is also possible, both in Exim’s default and non-default configuration. The silver lining is that things would be tougher for ranged attackers.
“This vulnerability is instantly exploitable by a local attacker (and by a remote attacker in some non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (transmitting a byte every few minutes). However, due to the extreme complexity of Exim’s code, we cannot guarantee that this method of exploitation is unique; faster methods may exist”.
Additional details on how the hole in Exim could be exploited are available in the aforementioned advisory.
Meanwhile, Exim officials said there is no evidence the hole is under active exploitation and that the patch “already exists, is being tested and backported to all builds we have released. from (and including) 4.87”.
On a different note, the dangers facing email servers have been documented in recent ESET research that dissected the first malware specifically designed to target Microsoft Exchange email servers.