CVE-2019-15846: Exim Remote ‘Root’ Code Execution Vulnerability Alert

Recently, Linux’s mail transfer agent Exim was exposed to a remote code execution vulnerability (CVE-2019-15846) caused by accepting TLS connections, potentially allowing attackers to gain root-level access to the system “by sending an SNI ending in a backslash-null sequence during the initial TLS handshake.”

Exim is a mail transfer agent (MTA) used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail.

Exim has been ported to most Unix-like systems, as well as to Microsoft Windows using the Cygwin emulation layer. Exim 4 is currently the default MTA on Debian GNU/Linux systems.

A large number of Exim installations exist, especially within Internet service providers and universities in the UK. Exim is also widely used with the GNU Mailman mailing list manager, and cPanel.

Affected version

  • Exim<4.92.2 version

Unaffected version

  • Exim 4.92.2

Solution

At present, although there is no public disclosure, Qualys has described several key steps in the preparation of EXP, and finally uses the vulnerability to write to the /etc/passwd file to remotely obtain root privileges. An attacker could write an EXP based on this. We recommend that users upgrade to version 4.92.2 immediately.

If you can’t upgrade immediately, it is recommended to configure the following rules through exim’s acl_smtp_mail:

For a attacking SNI the following ACL snippet should work:

# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}