[SingCERT] Critical Vulnerability (CVE-2019-15846) in Exim Mail Server

Published on 07 Sep 2019

Updated on 23 Oct 2019

Background
A critical vulnerability (CVE-2019-15846) was discovered in the Exim mail server, an open-source message transfer agent on Internet-facing Unix operating systems. It has a Common Vulnerability Score System v3.0 severity base score of 9.8 out of 10.

Improper input validation in its code leads to a buffer overflow flaw allowing a local or remote attacker to execute arbitrary commands with root privileges on the affected system.

Attackers can exploit the vulnerability by sending a trailing backslash in the Server Name Indication (SNI) domain name at the start of the Transport Layer Security (TLS) handshaking process. This vulnerability does not depend on the TLS library used by the server; both GnuTLS and OpenSSL are affected.

Affected Products
All Exim versions up to and including 4.92.1, are affected.

Impact
Successful exploitation could lead to a full compromise of the Exim mail server, allowing an attacker to perform malicious activity through the mail server.

Recommendations
System administrators managing Exim Internet mailer are advised to update to version 4.92.2 immediately.

Reference
[1] https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-15846
[3] https://ftp.exim.org/pub/exim/exim4/