A critical remote command execution vulnerability was recently identified within Exim, the UNIX based mail transfer agent. The vulnerability, tracked as CVE-2019-10149, affects Exim versions 4.87 through 4.91, and there is no patch as of today for these older versions. The latest version of Exim released February 10, 2019, Exim 4.92, is not affected by this vulnerability.
The exploitation of CVE-2019-10149 allows for an attacker to execute commands with full administrative permissions on the target systems. This is due to the fact that the Exim mail transfer agent runs with root level privileges. This means that an attacker that successfully exploits this vulnerability could install additional malicious software; view, change, or delete data; or create backdoor user accounts with full administrative privileges.
The vulnerability may be exploited by sending a specially crafted email message to a specific email address on a system’s localhost. A flaw was discovered in the way that Exim parses the email data, and this flaw can be leveraged in such a way that allows the attacker to pass an arbitrary command to the execsv() function, which executes the command as root behind the scenes. For example, by sending a malicious email to a specific address, the attacker may be able to force the system to download additional malware, create a new user, or upload sensitive system information to an internet-accessible server owned and operated by the attacker.
The severity of any vulnerability is directly related to its exploitability. For complex bugs that require significant time and resources to develop a working exploit, the risk is considered lower than for those vulnerabilities where a fully functional exploit is available. The mechanism required to exploit the Exim flaw has been deemed “trivial”, and is therefore easily exploitable by unsophisticated attackers. In fact, a full functional exploit has been developed and released to Exploit-DB.com, a popular online repository of exploit code.
Here at OCD Tech, we conducted some simple analysis to identify just how many vulnerable systems might exist on the internet. A search was conducted using the Shodan search engine which revealed that approximately 4 million systems around the world are running vulnerable versions of Exim. If you are running Exim on any of your systems, we would strongly suggest upgrading to version 4.92 as soon as possible, as it is only a matter of time before widespread exploitation of this critical vulnerability begins.
