Action required! Exim mail servers need urgent patching

Researchers have discovered another dangerous security hole hiding in recent, unpatched versions of the popular mail server, Exim.

Uncovered in May 2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released as far back as 15 April 2018. The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time.

The low down: anyone still running a version from April 2016 to earlier this year will be vulnerable. Versions before that might also be vulnerable if EXPERIMENTAL_EVENT is enabled manually, Qualys’s advisory warns.

The issue is described as an RCE, which in this case stands for Remote Command Execution, not to be confused with the more often-cited Remote Code Execution.

As the term implies, what that means is that an attacker could remotely execute arbitrary commands on a target system without having to upload malicious software.

The attack is easy from another system on the same local network. Pulling off the same from a system outside the network would require an attacker to…

Keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.

Remote exploitation is also possible when Exim is using any one of several non-default configurations itemised in the Qualys advisory.

What to do

The first stop is to check impact assessments issued by individual distros, for example Debian (used by Qualys to develop the proof-of-concept), OpenSUSE, and Red Hat. Users of Sophos XG Firewall, which includes Exim, should read Knowledge Base article 134199.

As Qualys points out, exploits for the flaw are likely to follow within a matter of days. In that scenario, hackers would scan for vulnerable servers, potentially hijacking them. Clearly, this is a flaw admins will want to patch as soon as possible.

Unfortunately, if the slow patching of another serious flaw revealed in February (CVE-2018-6789) is anything to go by, a rapid roll out is unlikely. That too was another vulnerability discovered retrospectively, affecting all Exim versions from 1995.

As of June, Exim’s market share is 57% of mail servers polled, which makes it the internet’s number one platform with over half a million servers. For criminals, that’s a lot of servers to trawl through for easy targets.