Millions of Exim mail servers exposed to remote and local attacks

Millions of Exim mail servers exposed

A critical vulnerability in several versions of Exim mail transfer agent (MTA) enables unauthenticated remote attackers to execute arbitrary mail-order commands for certain non-default server configurations on mail servers.

The flaw impacts Exim versions 4.87 to 4.91 and is caused by improper validation of receiver adresses in /src / deliver.c in the deliver message) (function that leads to RCE on the mail server with root rights.

“RCE means remote execution of* Commands*, not Remote execution of code: an attacker can execute arbitrary commands with execv) (root; no memory corruption or ROP (Return-oriented Programming) is involved,” says Qualys, an outfit that detects and reports the vulnerability. Start qualys freescan download to check vulnerablity

As the research team at Qualys also said, the Exim flaw “is threefold exploitable in local and non-default cases ;” potential attackers need to work sooner rather than later.

Details of Exim RCE vulnerability

The CVE-2019-10149 vulnerability can be instantly exploited as critical and “by a local attacker (and a remote attacker in certain default configurations).”

The following non-default Exim configurations are easy to use remotely according to Qualys:

  • If the “verify = recipient” ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely.
  • If Exim was configured to recognize tags in the local part of the recipient’s address (via “local_part_suffix = +* : -*” for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “balrog+${run{…}}@…alhost” (where “balrog” is the name of a local user).
  • If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “${run{…}}@…zad.dum” (where “khazad.dum” is one of Exim’s relay_to_domains). Indeed, the “verify = recipient” ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part.

It is more complicated to remotely exploit the default flaw on vulnerable servers and requires dedication, because attacks “must hold the connection to the vulnerable server open for seven days (by sending one byte a few minutes),” advisory Qualys says. Qualys says.

“Because Exim’s code is extremely complex we can not, however, guarantee that the method of exploitation is unique; faster methods might exist.”

vulnerable mail servers per country

The approximate number of vulnerable mail servers per country

The CVE-2019-10149 bug was patched by Exim’s developers on February 10 in version 4.92, although “the bug was not identified at that time as a security vulnerability” and thus most of the operating systems are affected.

According to a Shodan quick search, vulnerable Exim versions are currently running on roughly 4,800,000 machines, with over 588,000 servers running the patched Exim 4.92 release.

Researcher have named “The WIZard Return” flaw CVE-2019-10149, connecting it to the 1999 WIz and DEBUG faults, which also enable attackers to run root commands on servers running the vulnerable version of the Sendmail mail transfer agent.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.