CVE-2019-10149: Exim Remote Code Execution Vulnerability Alert

Recently, Linux’s mail transfer agent Exim was exposed to a remote code execution vulnerability (CVE-2019-10149) caused by incorrect validation of the recipient’s address in the deliver_message() function in /src/deliver.c.

Eximis a mail transfer agent (MTA) used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail.

Exim has been ported to most Unix-like systems, as well as to Microsoft Windows using the Cygwin emulation layer. Exim 4 is currently the default MTA on Debian GNU/Linux systems.

A large number of Exim installations exist, especially within Internet service providers and universities in the UK. Exim is also widely used with the GNU Mailman mailing list manager, and cPanel.

CVSS3 Base Score 9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected version

  • Exim Version >= 4.87
  • Exim Version <= 4.91

Unaffected version

  • Exim Version 4.92

Solution

Exim officially fixed the vulnerability in version 4.92. Users recommend upgrading to unaffected version as soon as possible.