A Vulnerability in Exim Could Allow for Remote Command Execution

Source: A Vulnerability in Exim Could Allow for Remote Command Execution

DATE(S) ISSUED:
06/10/2019
OVERVIEW:
A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient. Remote attackers can take advantage of this vulnerability as well through similar means. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
There is currently a working exploit of this vulnerability on Exploit DB. Open source resources reveal that currently there are more than 4.7 million devices running a vulnerable version of Exim. This vulnerability does not affect the latest version Exim 4.92.

June 14 – UPDATED THREAT INTELLIGENCE:
This vulnerabilities has been observed being exploited in the wild.

SYSTEMS AFFECTED:
Exim versions 4.87 to 4.91

TECHNICAL SUMMARY:
A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient.

This vulnerability exists due to the way that Exim handles the parsing of the mail recipient when mail is sent from a local user to a local domain. When a local malicious user sends an email to the following recipient: ${run{ }}@localhost, the supplied command and arguments are passed into the execv function behind-the-scenes. Remote attackers can conduct a similar exploitation technique under certain non-default configurations. For other configurations, an attacker will have to open a connection to the server for 7 days and transmit one byte every few minutes.

Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by Exim to vulnerable systems immediately after appropriate testing
Verify no unauthorized system modifications have occurred on system before applying patch.
Apply the principle of Least Privilege to all systems and services.
Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.

REFERENCES:
Exploit DB:
https://www.exploit-db.com/exploits/46974
NIST NVD:
https://nvd.nist.gov/vuln/detail/CVE-2019-10149
Arstechnica:
https://arstechnica.com/information-technology/2019/06/millions-of-machines-affected-by-command-execution-flaw-in-exim-mail-server/
Exim:
https://www.exim.org/static/doc/security/CVE-2019-10149.txt
https://www.exim.org/index.html
zdnet:
https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/

Take all the precautions needed to protect your server!!!

Friends don’t let friends get rooted!!!

Install FFMPEG in cPanel

Hi! 

Today we’re going to be installing FFMPEG onto our CentOS 7 server.
Are ya ready kids!

FFmpeg

Step 1. Login

ok lets go… SSH into your VPS as root 
(if you login as a sudoer, su up to your root user using the
sudo su -
command.

Step 2. Enable EPEL Repo

Next, let’s enter the command to install the epel repository
sudo yum install epel-release -y

Step 3. Update

Now, let’s run a yum update 
sudo yum update -y

Step 4. Reboot

Time to reboot!
sudo shutdown -r now

Step 5. Enable Nux Dextop Repo

Now, ssh back into the server.

5a.

Enable the Nux Dextop YUM repo to install ffmpeg.
sudo rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
This imports the gpg key for the repo

5.b

now, enter the command to grab the rpm file
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

Step 6. Install FFMpeg

Ok, time to install the ffmpeg package
yum install ffmpeg ffmpeg-devel -y

Step 7. Confirm Install

Let’s confirm the ffmpeg install: 
rpm -qa | grep ffmpeg
or just 
ffmpeg

voila! Done. 

Exim Vulnerability

By now, some of you have been hearing about a recent security vulnerability affecting the Exim mail transfer agent. With that news, let explore what’s happening… 


SUMMARY:

A flaw was found in Exim versions 4.87 to 4.91 (inclusive), that may lead to remote command execution due to improper validation of recipient address in the `deliver_message()` function inside /src/deliver.c.

This vulnerability has a CVSSv3 Base Score of 9.8 (Critical).

Affected Packages State:
RHEL 5/CentOS 5       Not affected*

As cPanel stated:

To confirm you are already running a patched version, you can run this command on the server:

rpm -q exim

The output will show you the Exim versions that are installed, and should look something like what’s below:

For Version 78: exim-4.92-1.cp1178.x86_64
For Version 80: exim-4.92-1.cp1180.x86_64

This flaw has been fixed as of version 4.92, which cPanel is shipping in version 78 and higher. cPanel version 76 and lower are considered EOL and are not provided with a patch to address this vulnerability. This happens to coincide with EasyApache 3 being removed as of cPanel version 78 and presents an opportunity to address a fundamental issue which is clients running software in End-of-Life status. 

For additional information, please see https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself/.

* CentOS 5 ships with 4.63 and is not affected by this flaw. However, the base operating system is no longer supported by cPanel. 

Follow up:

https://nvd.nist.gov/vuln/detail/CVE-2019-10149

This Exim exploit could affect any servers running cPanel & WHM versions below our latest LTS version which, as of this email is, v78.0.27. For more information about this Exim exploit, please see the link above.
We recommend that you update any servers below cPanel & WHM v78.0.27, promptly, to ensure that you’ve received the latest system updates.

To update your server manually, right away, please use the WebHost Manager interface: WHM >> Home >> cPanel >> Upgrade to Latest Version

If you have any issues with the updates, please contact our technical support analysts for assistance: https://tickets.cpanel.net

We’ve added more in-depth details about this Exim exploit and explain how you can protect yourself, in a blog post on our website, here:
https://blog.cpanel.com/exim-cve-2019-10149-protect-yourself/