Critical Exim Flaw Opens Millions of Servers to Open-door

A critical vulnerability found in Exim servers which can enable a remote and unauthorized attacker to execute arbitrary code with root privileges.

Exim is the most widely used MTA today, deploying more than half of the Internet-facing mail servers. Exim is a widely used open source mail transfer agent (MTA) software developed for Unix-like operating systems such as Linux, Mac OSX or Solaris, which now runs almost more than 50% of the Internet’s email servers, routing, delivering and receiving email messages.The security vulnerability tracked as CVE-2019-15846 only affects Exim servers that receive TLS connections, allowing attackers to gain root-level access to the system “by a backslash-null sequence at the end of an initial TLS handshake”.

CVE-2019-15846 affects Exim versions 4.80 to (including) 4.92.1. A server is vulnerable only if the TLS connection is accepted. Exim installations do not come with TLS support enabled by default, but are integrated with various Linux distributions.

The bug was fixed in Exim version 4.92.2, which prompts users to upgrade to it. If they can’t, you can ask your package maintainer for a version that includes a backported solution. Exim maintainers have explained the thread in detail here

SNI, Server Name Indication, is an extension of the TLS protocol that allows the server to securely host multiple TLS certificates for multiple sites, all under the same IP address. According to the Exim team, the vulnerability affects GNTLS and OpenSSL as the server does not depend on the TLS library used by the server.

Moreover, although TLS does not enable the default configuration of Exim Mail Server software, some operating systems bundle the Exim software with a weak feature enabled by default.

But this Friday, the Exim team warned of serious exploitation of its software. If the Exim Server is configured to accept incoming TLS connections, an attacker can send the malicious backslash-null sequence attached to the end of an SNI packet and execute the malicious code with root privileges.

The problem was reported by a security researcher called Zerons in early July, and the Exim team has discovered it very secretly. Secrecy is justified because of the number of vulnerable servers that result in easy to exploit and root access.

However, there is a catch. By default, Exim installations do not support TLS enabled by default. However, the Exim events that are included in the Linux distros are sent using the default enabled TLS.Since most server administrators use OS images, few go through the process of downloading Exim manually, and most Exim events are very dangerous.

In addition, TLS is also supported by default by sending Exim events using cPanel, a popular web hosting software. The good news is that the cPanel staff has moved quickly to integrate Exim Patch into a cPanel update.

Server administrators highly recommend installing the latest Exim 4.92.2 version immediately, and if not possible, the problem can be alleviated by allowing unpatched Exim servers to accept TLS connections.