CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim

Ryan Seguin

CVE-2019-15846, a new unauthenticated remote code execution vulnerability in the Exim message transfer agent, has been patched in version 4.92.2. Users are encouraged to upgrade immediately.

Background

Exim Internet Mailer is a message transfer agent (MTA) for Unix hosts used to manage mail routing services for an organization. Exim is reportedly the most used MTA in the world, and has over 5 million internet-facing hosts, according to Shodan. Exploiting CVE-2019-15846 would allow a remote unauthenticated attacker to fully take control of a vulnerable Exim server.

CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim

Analysis

This vulnerability follows on the heels of CVE-2019-10149, another remote command execution (RCE) flaw which we blogged about in June. Exploitation attempts were seen one week later

The Exim advisory describes CVE-2019-15846 as: 

"The SMTP Delivery process in all versions up to and including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate."

As stated in the initial bug report by Zerons, an unauthenticated remote attacker could send a malicious SNI ending in a backslash-null sequence during the initial TLS handshake, which causes a buffer overflow in the SMTP delivery process. This would allow an attacker to inject malicious code that Exim then arbitrarily executes as root. This vulnerability does not depend on the TLS library in use, so both GnuTLS and OpenSSL are affected.

The default Exim configuration file does not have TLS enabled, but most organizations are required to enable it for standard internet traffic handling purposes. Some versions of Exim bundled with operating systems may have TLS enabled by default.

Proof of concept

A rudimentary proof-of-concept (PoC) exists, according to the Exim team, but has not been made public.

Solution

The Exim team has released version 4.92.2 to fix this vulnerability, and administrators are encouraged to upgrade as soon as possible. While the official security advisory notes that disabling TLS does mitigate the vulnerability, it is strongly recommended not to do so.

Identifying affected systems

As noted in Exim’s notification email: “We've indication that only versions starting with 4.80 up to and including 4.92.1 are affected.” It is also important to note that users running versions older than 4.80, while not vulnerable to CVE-2019-15846, are vulnerable to CVE-2018-6789, another critical RCE flaw. Additionally, the Exim project officially does not support versions prior to the current stable version, but does note in their advisory they will support package maintainers in backporting the fix where resources permit.

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information 

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Sep 6, 2019

People also viewed

Senior Financial Analyst - Corporate Development

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Finance
Your Role:Become a core member of Tenable’s internal corporate development team and assist with business, financial and valuation modeling for mergers, acquisitions and other strategic investments and initiatives.  Assist with evaluating elements ...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Technology Internships
Your Role: The Cloud Security Intern will help Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for the cloud that assess risk, keeps Tenable data safe and bake in sec...

Salesforce Administrator

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Business Platforms Business Platforms
Your Role:Tenable Network Security is looking for a Salesforce.com Administrator to join our internal business platforms team. The qualified candidate will engage in the administration of Tenable’s  Salesforce.com instance, play a key role in the ...

Technical Support Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Internships
Your Role: The Technical Support Intern provides consistent, world-class security, network, and product support for specific Tenable products. In serving as the primary liaison between the company and customer, the Technical Support Intern resolve...

Research Intern - Plugin Automation

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Internships
Your Role: Tenable Research is looking for a Software Engineer Intern for the Plugin Automation team.  The position will involve developing frameworks for automated content creation, and processes for validating and publishing the content that is ...

Sales Development Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Lead Generation Sales
Your Role:Tenable is looking for an experienced SDR Manager that will report to the Senior Director of Worldwide Sales Development and is responsible for ensuring the success of the Americas Tenable Sales Development team’s goals, as well as contr...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.