Researchers have discovered another dangerous security hole hiding in recent, unpatched versions of the popular mail server, Exim.
Uncovered in May 2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released as far back as 15 April 2018. The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time.
The low down: anyone still running a version from April 2016 to earlier this year will be vulnerable. Versions before that might also be vulnerable if
EXPERIMENTAL_EVENT is enabled manually, Qualys’s advisory warns.
The issue is described as an RCE, which in this case stands for Remote Command Execution, not to be confused with the more often-cited Remote Code Execution.
As the term implies, what that means is that an attacker could remotely execute arbitrary commands on a target system without having to upload malicious software.
The attack is easy from another system on the same local network. Pulling off the same from a system outside the network would require an attacker to…
Keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.
Remote exploitation is also possible when Exim is using any one of several non-default configurations itemised in the Qualys advisory.
What to do
The first stop is to check impact assessments issued by individual distros, for example Debian (used by Qualys to develop the proof-of-concept), OpenSUSE, and Red Hat. Users of Sophos XG Firewall, which includes Exim, should read Knowledge Base article 134199.
As Qualys points out, exploits for the flaw are likely to follow within a matter of days. In that scenario, hackers would scan for vulnerable servers, potentially hijacking them. Clearly, this is a flaw admins will want to patch as soon as possible.
Unfortunately, if the slow patching of another serious flaw revealed in February (CVE-2018-6789) is anything to go by, a rapid roll out is unlikely. That too was another vulnerability discovered retrospectively, affecting all Exim versions from 1995.
As of June, Exim’s market share is 57% of mail servers polled, which makes it the internet’s number one platform with over half a million servers. For criminals, that’s a lot of servers to trawl through for easy targets.
7 comments on “Action required! Exim mail servers need urgent patching”
What about Sophos UTMs and XGs? Aren’t they using Exim, too?
Sophos XG Firewall is affected. Sophos Support has published a knowledgebase article on the subject:
Is the Sophos UTM 9 also affected?
We got a Scan from Qualys to use a vulnerable version of Exim…
Hi, we’re not able to offer product support other than to direct you towards the Support Knowledgebase. If that doesn’t answer your question can you contact support directly please.
Sophos Email Appliance (SEA) – IIRC its MTA is Postfix, so no Exim to update.
Thanks Paul. Yes, I’ve been perusing some thread responses by Red_Warrior about postfix + milter behavior. I’m assuming internal person at Sophos by the nature of the posts.