If exploited, the security hole in Exim could allow attackers to run
arbitrary commands on vulnerable mail servers
Exim, the popular mail transfer agent (MTA)
software, contains a critical-rated vulnerability that can, in some scenarios,
enable remote attackers to run commands of their choice on unpatched mail
servers, researchers from Qualys have found.
Tracked under CVE-2019-10149, the remote
command execution flaw impacts Exim installations 4.87 through 4.91. The bug
was fixed with the latest version (4.92) of the open-source software, albeit,
by all accounts, unknowingly. According to Qualys, the issue
“was not identified as a security vulnerability” when the latest version was
released in February.
The software, which is responsible for transferring
messages from one computer to another is, installed on a large chunk of mail servers that are visible online. More than 95 percent of them appear to run one of Exim’s older – and
vulnerable – versions.
According to Qualys, the bug could enable attackers
to execute commands on a vulnerable Exim server as the root user and
effectively take it over.
The vulnerability is “trivially exploitable” by a
local attacker, even with a low-privileged account.
Perhaps more worryingly, however, remote
exploitation is also possible, both in Exim’s default and non-default setup.
The silver lining is that things would be more difficult for remote attackers.
“This vulnerability is exploitable instantly by a
local attacker (and by a remote attacker in certain non-default
configurations). To remotely exploit this vulnerability in the default
configuration, an attacker must keep a connection to the vulnerable server open
for 7 days (by transmitting one byte every few minutes). However, because of
the extreme complexity of Exim’s code, we cannot guarantee that this exploitation
method is unique; faster methods may exist”.
Additional details about how the hole in Exim could
be exploited are available in the aforementioned advisory.
Meanwhile, Exim’s maintainers said that there is no evidence that the hole is under active
exploitation and that the patch “exists already, is being tested, and
backported to all versions we released since (and including) 4.87”.
On a different note, dangers faced by mail servers
were documented in recent ESET research that dissected the first malware that was specifically designed to
target Microsoft Exchange mail servers.