CIS Logo
tagline: Confidence in the Connected World

A Vulnerability in Exim Could Allow for Remote Command Execution

MS-ISAC ADVISORY NUMBER:

2019-061

DATE(S) ISSUED:

06/10/2019

OVERVIEW:

A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient. Remote attackers can take advantage of this vulnerability as well through similar means. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There is currently a working exploit of this vulnerability on Exploit DB. Open source resources reveal that currently there are more than 4.7 million devices running a vulnerable version of Exim. This vulnerability does not affect the latest version Exim 4.92.

June 14 - UPDATED THREAT INTELLIGENCE:
This vulnerabilities has been observed being exploited in the wild.

SYSTEMS AFFECTED:

  • Exim versions 4.87 to 4.91

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient.

This vulnerability exists due to the way that Exim handles the parsing of the mail recipient when mail is sent from a local user to a local domain. When a local malicious user sends an email to the following recipient: ${run{ }}@localhost, the supplied command and arguments are passed into the execv function behind-the-scenes. Remote attackers can conduct a similar exploitation technique under certain non-default configurations. For other configurations, an attacker will have to open a connection to the server for 7 days and transmit one byte every few minutes.

Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Exim to vulnerable systems immediately after appropriate testing
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0

Pencil Blog post 20 Aug 2019
CONTROL: 4 --- ADVISORY CONTROL: 0