More recently, at the beginning of summer, there were massive calls for updating Exim to 4.92 version due to the vulnerability CVE-2019-10149. And the other day it turned out that the malware Sustes decided to use this vulnerability.

Now all, who urgently updated the soft, can again be “happy”: on July 21, 2019, Zerons researcher discovered a critical vulnerability in the Exim Mail Transfer agent (MTA) by using TLS for versions from 4.80 to 4.92.1 inclusive, allowing remote code execution with privileged rights (CVE -2019-15846).

Vulnerability

The vulnerability is present when using both the GnuTLS and OpenSSL libraries for establishing a secure TLS connection.

According to developer Heiko Schlittermann, the configuration file in Exim doesn’t use TLS by default, however, many distributions create the necessary certificates during installation and include a secure connection. Newer versions of Exim also set the tls_advertise_hosts = * option and generate the necessary certificates.

depends on the configuration. Most distros enable it by default, but Exim needs a certificate+key to work as a TLS server. Probably Distros create a Cert during setup. Newer Exims have the tls_advertise_hosts option defaulting to “*” and create a self signed certificate, if none is provided.

The vulnerability itself consists in incorrect SNI processing (Server Name Indication, a technology introduced in 2003 in RFC 3546 for a client to request the correct certificate for a domain name, Distribution of the TLS SNI standard / WEBO Group’s blog) during a TLS handshake. It is enough for an attacker to send an SNI ending in a backslash (“\”) and a null character (“\ 0”).

“Quay’s” researchers found a bug in the string_printing (tls_in.sni) function, which is the incorrect \ “escaping. As a result, the backslash is written in unescaped form to the print spool header file. Further, this file with privileged rights is read by the spool_read_header () function, which leads to heap overflow.

Notice that, Exim developers have created PoC vulnerabilities with the execution of commands on a remote vulnerable server, but it is not yet publicly available. Due to the ease of operation of the bug, this is just a need of time, and quite a short one.

Number of potentially vulnerable public servers

According to the statistics from a large hosting provider E-Soft Inc on September 1, on leased servers with version 4.92 is used more than 70% of hosts.

 

Version

Number of Servers Percent
4.92.1 6471 1.28%
4.92 376436 74.22%
4.91 58179 11.47%
4.9 5732 1.13%
4.89 10700 2.11%
4.87 14177 2.80%

4.84

9937

1.96%

Other versions 25568

5.04%

 

If you turn to the search engine Shodan, then from 5,250,000 in the server database:

According to the search engine Shodan, from 5,250,000 in the server database:

  • about 3,500,000 use Exim 4.92 (about 1,380,000 with SSL / TLS);
  • over 74,000 use 4.92.1 (about 25,000 with SSL / TLS).

Thus, there are about 1.5 million publicly known and accessible Exim potentially vulnerable servers.

Protection

  • The simplest, but not recommended, option is to not use TLS, which will result in forwarding e-mail messages in clear text.
  • In order to avoid exploitation of the vulnerability, it will be more preferable to upgrade to Exim Internet Mailer 4.92.2.
  • If it is not possible to upgrade or install the patched version, you can set the ACL in the Exim configuration for the acl_smtp_mail option with the following rules: