A security hole that enables a local or remote attacker to execute arbitrary code with root privileges is susceptible to attack from Exim mail servers.
According to Exim developers, the CVE-2019-15846 vulnerability impacts versions 4.92.1 and previous. The defect is to be fixed by Exim 4.92.2, first announced on Wednesday and published on Friday.
The vulnerability, defined as a heap overflow, impacts Exim’s TLS servers and is not dependent on the TLS library used — developers note GnuTLS and OpenSSL are impacted.
“The vulnerability is exploitable by sending an SNI that ends in a slash zero sequence during the original TLS handshake,” recommended Exim developers.
Although malicious exploitation does not exist, Qualys scientists who have evaluated the fault have created a fundamental proof of concept (PoC) to prove the usefulness of the heap overflow. Exim developers were initially told of the issue by a researcher who uses the online moniker “Zerons” on July 21.
Vulnerability exploitation can be prevented by setting up the server not to accept TLS connections, but this reduction is not recommended. Adding particular guidelines to the Access Control List (ACL) is also a mitigation.
“This is a vulnerability to buffer overflow. It does not allow attackers to directly perform root orders. In the end, this fault enables attackers to overwrite memory that can be used to execute code. This differs considerably from remote control execution, because the attacker needs not only to remove barriers from the sensitive program implementation but also from mitigation of OS exploits, “Craig Young, Tripwire’s vulnerability and exposure research team computer security investigator, told SecurityWeek.
“Because of the different complexities concerned, I do not think it would be probable to see active code execution attacks by script kiddies rapidly. Having said this, I would be surprised if more sophisticated attackers don’t already use it to use targeted mail servers, “added Young.
Exim is one of the most commonly used mail servers, and Shodan has a majority of over 5 million cases in the US. Exim is therefore a tenting destination for malicious performers.
In the middle of June, safety specialists and businesses advised that the Exim vulnerability CVE-2019-10149 was being exploited to supply cryptocurrency miners.