Critical bug found in popular mail server software
If exploited, the security hole in Exim could allow attackers to run arbitrary commands on vulnerable mail servers
Exim, a popular mail transfer agent (MTA) software, contains a critical-rated vulnerability that can, in some scenarios, enable remote attackers to run commands of their choice on unpatched mail servers, researchers from Qualys have found.
Tracked under CVE-2019-10149, the remote command execution flaw impacts Exim installations 4.87 through 4.91. The bug was fixed with the latest version (4.92) of the open-source software, albeit, by all accounts, unknowingly. According to Qualys, the issue “was not identified as a security vulnerability” when the latest version was released in February.
The software, which is responsible for transferring messages from one computer to another is, installed on a large chunk of mail servers that are visible online. More than 95% of them appear to run one of Exim’s older – and vulnerable – versions.
According to Qualys, the bug could enable attackers to execute commands on a vulnerable Exim server as the root user and effectively take it over.
The vulnerability is “trivially exploitable” by a local attacker, even with a low-privileged account. Perhaps more worryingly, however, remote exploitation is also possible, both in Exim’s default and non-default setup. The silver lining is that things would be more difficult for remote attackers.
“This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist”.
Meanwhile, Exim’s maintainers said that there is no evidence that the hole is under active exploitation and that the patch “exists already, is being tested, and backported to all versions we released since (and including) 4.87”.