3 min read

Last week, a vulnerability was found in all the versions of Exim, a mail transfer agent (MTA), that when exploited can let attackers run malicious code with root privileges. According to the Exim team, all Exim servers running version 4.92.1 and the previous ones are vulnerable. 

On September 4, the team at Exim published a warning on the Openwall information security mailing list regarding the critical security flaw that was affecting Exim. On Friday, the team at Exim released 4.92.2 to address this vulnerability.

This vulnerability with the ID, CVE-2019-15846 was reported in July by a security researcher called Zerons. The vulnerability allows attackers to take advantage of the TLS ServerName Indicator and execute programs with root privileges on servers that accept TLS connections.

An attacker can simply create a buffer overflow to gain access to a server running Exim as the bug doesn’t depend on the TLS library that is used by the server, both GnuTLS, as well as OpenSSL, get affected.


Exim is used to serve around 57% of all publicly reachable email servers over the internet. Exim was initially designed for Unix servers, is currently available for Linux and Microsoft Corp. Windows and is also used for the email in cPanel. 

Exim’s advisory says, “In the default runtime configuration, this is exploitable with crafted ServerName Indication (SNI) data during a TLS negotiation.” 

Read Also: A year-old Webmin backdoor revealed at DEF CON 2019 allowed unauthenticated attackers to execute commands with root privileges on servers

Server owners can mitigate by disabling TLS support for the Exim server but it would expose email traffic in cleartext and would make it vulnerable to sniffing attacks and interception.

Also, this mitigation plan can be more dangerous for the Exim owners living in the EU, since it might lead their companies to data leaks, and the subsequent GDPR fines. Also, Exim installations do not have the TLS support enabled by default but the Exim instances with Linux distros ship with TLS enabled by default

Exim instances that ship with cPanel also support TLS by default but the cPanel staff have moved towards integrating the Exim patch into a cPanel update that they already started rolling it out to customers.

Read Also: A vulnerability found in Jira Server and Data Center allows attackers to remotely execute code on systems

A similar vulnerability named as CVE-2019-13917 was found in July that impacted Exim 4.85 up to and including 4.92 and got patched with the release of 4.92.1. Even this vulnerability would allow remote attackers to execute programs with root privileges. In June, the team at Exim had patched CVE-2019-10149, a vulnerability that is called “Return of the Wizard,” that allowed attackers to run malicious code with root privileges on remote Exim servers. Also, Microsoft had issued a warning in June regarding a Linux worm that was targeting Azure Linux VMs that were running vulnerable Exim versions.

Most of the users are sceptical about the meditation plan as they are not comfortable around disabling the TLS as the mitigation option. A user commented on HackerNews, “No kidding? Turning off TLS isn’t an option at many installations. It’s gotta work.”

Other interesting news in Security 

CircleCI reports of a security breach and malicious database in a third-party vendor account

Hundreds of millions of Facebook users’ phone numbers found online, thanks to an exposed server, TechCrunch reports

Espressif IoT devices susceptible to WiFi vulnerabilities can allow hijackers to crash devices connected to enterprise networks