[SingCERT] Critical Vulnerability (CVE-2019-10149) in Exim Mail Server

Published on Saturday, 08 June 2019 13:07

Background

A critical vulnerability (CVE-2019-10149) was discovered in the Exim mail server, an open-source message transfer agent on Internet-facing Unix operating systems (OS). It has a Common Vulnerability Score System (CVSS) v3.0 severity base score of 9.8 out of 10.

The flaw is due to the improper validation of recipient address in its code. It allows a local or remote attacker to execute arbitrary commands on the affected system via a specially crafted email.

Affected Products

All Exim versions, between and including 4.87 to 4.91, are vulnerable to CVE-2019-10149.

Impact

Successful exploitation could lead to a full compromise of the Exim mail server, allowing an attacker to perform malicious activity through the mail server.

Recommendations

System administrators managing Exim Internet mailer are advised to update to version 4.92 immediately.

References

https://www.exim.org/static/doc/security/CVE-2019-10149.txt
https://nvd.nist.gov/vuln/detail/CVE-2019-10149
https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-local-remote-attacks/