This article is more than 1 year old
Exim marks the spot… of remote code execution: Patch due out today for 'give me root' flaw in mail server
Install incoming update to avoid having your boxes hijacked
The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine.
The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer vulnerable installations, steal or tamper with data, install spyware, and so on.
The vulnerability, designated CVE-2019-15846, has been kept under tight wraps. Details of the bug, along with updates to install to address the security weakness, are due to go live today at 1000 UTC. To be safe from the remote-code execution flaw, ensure you are running version 4.92.2 or later, either built from source or obtained from your operating system's package manager.
For those unfamiliar with the software, Exim is an open-source message transfer agent (MTA) used in a great many Unix and Linux systems – we're talking at the very least millions of public-facing servers – to send and receive emails.
We understand the flaw was discovered and reported by an infosec bod using the handle Zerons, and the programming blunder analyzed for the Exim team by security house Qualys. Also, we're told that the remote-code execution flaw was accidentally introduced to the code when a project contributor tried to fix an earlier vulnerability. As a result, all versions up to and including 4.92.1 are affected with the software's default configuration.
Heiko Schlitterman, one of the developers responsible for looking after Exim, said the critical vulnerability was reported to himself and other Exim maintainers on September 3. The next day, a notice was sent out through mailing lists that an update would be released, as part of a coordinated disclosure, on September 6, giving maintainers and Linux distributions enough time to develop, test, and queue up the patch.
Schlitterman said that while there is no sign of any exploit code yet, some bare-bones proof-of-concept code targeting the hole does exist, so admins and users are well-advised to test and install today's update on all relevant machines that they manage.
"Head up! Security release ahead!" Schlitterman wrote in one security mailing list post. "A local or remote attacker can execute programs with root privileges. Currently there is no known exploit, but a rudimentary [proof of concept] exists."
The patch is the first major update for Exim since July when the 4.92.1 build was released. That update also addressed a remote-code-execution flaw in the software, though its exploitability depended upon an installation's configuration.
A month prior to that, the Exim team and infosec biz Qualys sounded the alarm over a flaw in the software reported in February that turned out to be more serious than first thought. ®
Updated to add
The Exim team, as expected, has emitted an advisory as well as patches and mitigations for CVE-2019-15846. The security bug is present if your Exim installation accepts TLS connections, which it should.
Biting the hand that feeds IT
