Last week, a vulnerability was found in all the versions of Exim, a mail transfer agent (MTA), that when exploited can let attackers run malicious code with root privileges. According to the Exim team, all Exim servers running version 4.92.1 and the previous ones are vulnerable.
On September 4, the team at Exim published a warning on the Openwall information security mailing list regarding the critical security flaw that was affecting Exim. On Friday, the team at Exim released 4.92.2 to address this vulnerability.
This vulnerability with the ID, CVE-2019-15846 was reported in July by a security researcher called Zerons. The vulnerability allows attackers to take advantage of the TLS ServerName Indicator and execute programs with root privileges on servers that accept TLS connections.
An attacker can simply create a buffer overflow to gain access to a server running Exim as the bug doesn’t depend on the TLS library that is used by the server, both GnuTLS, as well as OpenSSL, get affected.
It is used to serve around 57% of all publicly reachable email servers over the internet. Exim was initially designed for Unix servers, is currently available for Linux and Microsoft Corp. Windows and is also used for the email in cPanel.
Exim’s advisory says, “In the default runtime configuration, this is exploitable with crafted ServerName Indication (SNI) data during a TLS negotiation.”
Server owners can mitigate by disabling TLS support for the Exim server but it would expose email traffic in cleartext and would make it vulnerable to sniffing attacks and interception.
Also, this mitigation plan can be more dangerous for the Exim owners living in the EU, since it might lead their companies to data leaks, and the subsequent GDPR fines. Also, Exim installations do not have the TLS support enabled by default but the Exim instances with Linux distros ship with TLS enabled by default.
Exim instances that ship with cPanel also support TLS by default but the cPanel staff have moved towards integrating the Exim patch into a cPanel update that they already started rolling it out to customers.
A similar vulnerability named as CVE-2019-13917 was found in July that impacted Exim 4.85 up to and including 4.92 and got patched with the release of 4.92.1. Even this vulnerability would allow remote attackers to execute programs with root privileges. In June, the team at Exim had patched CVE-2019-10149, a vulnerability that is called “Return of the Wizard,” that allowed attackers to run malicious code with root privileges on remote Exim servers. Also, Microsoft had issued a warning in June regarding a Linux worm that was targeting Azure Linux VMs that were running vulnerable Exim versions.
Most of the users are sceptical about the meditation plan as they are not comfortable around disabling the TLS as the mitigation option. A user commented on HackerNews, “No kidding? Turning off TLS isn’t an option at many installations. It’s gotta work.”
Other interesting news in Security