The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Millions of Exim Servers Vulnerable to Remote Code Execution Vulnerability

by Chris Brook on Monday September 9, 2019

Contact Us
Free Demo

A critical vulnerability in Exim, by far the world's most popular email server, was disclosed on Friday.

If they haven't already, system administrators who manage the Exim internet mailer are being encouraged to update to the latest version, 4.92.2, as soon as possible in order to mitigate a critical vulnerability that could let an attacker execute programs with root privileges on the underlying system.

Specifically, if an Exim server is configured to accept incoming TLS connections, the vulnerability (CVE-2019-15846) could allow an attacker to run malicious code by sending a trailing backslash-null sequence, attached to the ending of a SNI packet, upon the initial handshake.

Exim, one of the most popular mail transfer agents, or MTAs, is run on millions of servers. It was developed at the University of Cambridge for use on Unix systems back in 1995; the university still hosts its website and domain.

According to a server survey conducted just 10 days ago by Security Space, Exim accounts for 57 percent of mail servers. A quick search on Shodan - a service that shows internet exposed systems and devices – shows that 3.5 million servers are currently running version 4.92 of Exim. Just over one million other servers, 1,019,167, are running older versions like 4.92.1, 4.91, 4.89, 4.87, and 4.90.1.

The bug, disclosed on Friday, has a low attack complexity and doesn't need privileges or user interaction to be exploited, something that fetches a 9.8, or critical, ranking on the CVSS v3.0 severity scale, according to The National Institute of Standards and Technology's National Vulnerability Database.

The issue affects versions 4.80 to, and including, 4.92.1 of Exim.

According to an update from the Exim team on Friday, only servers that accept TLS connections are vulnerable and while the vulnerability doesn't depend on the TLS library, both GnuTLS and OpenSSL are affected. Additionally, a proof of concept for the vulnerability exists according to the team, but has not been released publicly.

Admins could disable TLS to mitigate the vulnerability but given that doing so would expose email traffic in cleartext and increase the likeliness of sniffing attacks and/or traffic interception, it’s highly discouraged.

It's the second major flaw that Exim admins have had to deal with this summer following a vulnerability in June dubbed “The Return of the WIZard” that affected versions 4.87 to 4.91 and also granted attackers the ability to run commands as root on remote email servers.

Per Exim's handlers, the most recent vulnerability was discovered in July by a researcher going by the handle Zerons. Qualys performed a more in depth analysis of the vulnerability soon after and helped develop a fix for the issue in the month or so following.

Tags: Vulnerabilities

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.