Mail server

Millions of machines affected by a command execution flaw in the Exim mail server

Millions of Internet-connected machines running the open-source Exim mail server may be vulnerable to a recently disclosed vulnerability that, in some cases, allows unauthenticated attackers to run commands with almighty root privileges.

The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privilege account on a vulnerable system running under default settings. The person just needs to send an email to “${run{…}}@localhost”, where “localhost” is an existing local domain on a vulnerable Exim installation. With this, attackers can execute commands of their choice which run with root privileges.

The command execution flaw can also be exploited remotely, but with certain restrictions. The most likely scenario for remote exploits is when default settings have been set, such as:

  • The “verify=recipient” is manually removed by an administrator, possibly to prevent enumeration of usernames using RCPT TO functions. In such a case, the local mining method above works.
  • Exim is configured to recognize tags in the local part of a recipient’s address (via “local_part_suffix=+*:-*” for example). Attackers can exploit the vulnerability by reusing the local exploit method with an RCPT TO “balrog+${run{…}}@localhost” (where “balrog” is the name of a local user).
  • Exim is configured to relay mail to a remote domain, as a secondary MX. A remote attacker can reuse the local exploit method with an RCPT TO “${run{…}}@khazad.dum” where “khazad.dum” is one of Exim’s relay_to_domains.

The vulnerability is also remotely exploitable against default Exim configurations, although an attacker must first keep a connection to the vulnerable server open for seven days, transmitting a byte every few minutes. Researchers from Qualys, the security firm that discovered the vulnerability, haven’t ruled out other easier and more convenient ways to exploit default configurations remotely.

“This vulnerability is trivially exploitable in local cases and not by default (attackers will have working exploits prior to this, public or otherwise),” Qualys researchers wrote in an advisory published Wednesday. “And in the default case, a ranged attack takes a long time to succeed (as far as we know).”

The vulnerability, identified as CVE-2019-10149, affects versions 4.87 to 4.91. The flaw was fixed in version 4.92, which was released in February. But it was never identified as a vulnerability. Additionally, many Linux distributions continued to ship with vulnerable Exim versions.

A search of BinaryEdge (a service that indexes internet-connected devices) showed that over 4.7 million machines are running a vulnerable version of Exim. It’s a safe bet that a significant percentage of these machines are susceptible to attacks. Updates to version 4.92 are available here.