A Vulnerability in Exim Could Allow for Remote Command Execution

Categories General Info

Source: A Vulnerability in Exim Could Allow for Remote Command Execution

DATE(S) ISSUED:
06/10/2019
OVERVIEW:
A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient. Remote attackers can take advantage of this vulnerability as well through similar means. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
There is currently a working exploit of this vulnerability on Exploit DB. Open source resources reveal that currently there are more than 4.7 million devices running a vulnerable version of Exim. This vulnerability does not affect the latest version Exim 4.92.

June 14 – UPDATED THREAT INTELLIGENCE:
This vulnerabilities has been observed being exploited in the wild.

SYSTEMS AFFECTED:
Exim versions 4.87 to 4.91

TECHNICAL SUMMARY:
A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient.

This vulnerability exists due to the way that Exim handles the parsing of the mail recipient when mail is sent from a local user to a local domain. When a local malicious user sends an email to the following recipient: ${run{ }}@localhost, the supplied command and arguments are passed into the execv function behind-the-scenes. Remote attackers can conduct a similar exploitation technique under certain non-default configurations. For other configurations, an attacker will have to open a connection to the server for 7 days and transmit one byte every few minutes.

Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by Exim to vulnerable systems immediately after appropriate testing
Verify no unauthorized system modifications have occurred on system before applying patch.
Apply the principle of Least Privilege to all systems and services.
Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.

REFERENCES:
Exploit DB:
https://www.exploit-db.com/exploits/46974
NIST NVD:
https://nvd.nist.gov/vuln/detail/CVE-2019-10149
Arstechnica:
https://arstechnica.com/information-technology/2019/06/millions-of-machines-affected-by-command-execution-flaw-in-exim-mail-server/
Exim:
https://www.exim.org/static/doc/security/CVE-2019-10149.txt
https://www.exim.org/index.html
zdnet:
https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/

Take all the precautions needed to protect your server!!!

Friends don’t let friends get rooted!!!

This site uses Akismet to reduce spam. Learn how your comment data is processed.