Millions of Exim servers vulnerable to root-granting exploit

Millions of Exim servers are vulnerable to a security bug that when exploited can grant attackers the ability to run malicious code with root privileges.

All Exim servers running version 4.92.1 and before are vulnerable, the Exim team said in an advisory this week. Version 4.92.2 was released on Friday, September 6, to address the issue.

The issue might seem unimportant to many, but Exim is one of the most prevalent software today. Exim is a mail transfer agent (MTA), which is software that runs in the background of email servers. While email servers often send or receive messages, they also act as relays for other people’s emails. This is the MTA’s job.

Exim is the most prevalent MTA today, with a market share of over 57%, according to a June 2019 survey. Its success can be attributed to the fact that it’s been bundled with a slew of Linux distros, from Debian to Red Hat.

But this Friday, the Exim team warned of a critical exploit in its software. If the Exim server is configured to accept incoming TLS connections, an attacker can send a malicious backslash-null sequence attached to the ending of an SNI packet and run malicious code with root privileges.

The issue was reported in early July by a security researcher named Zerons, and has been patched in the utmost secrecy by the Exim team.

The secrecy was justified because of the ease of exploitation, the root access-granting effect, and because of the large number of vulnerable servers.

A BinaryEdge search lists over 5.2 million Exim servers running version 4.92.1 and earlier (the versions that are vulnerable).

ZDNet understands from sources in the threat intel community that there is no public exploit code for this issue, but that crafting an exploit is relatively trivial. Further, there haven’t been any active attacks observed in the wild, but scans for Exim servers have intensified in the last 24 hours.

Server owners can mitigate this vulnerability — tracked as CVE-2019-15846 — by disabling TLS support for the Exim server. However, this may not be an option, as this exposes email traffic in cleartext, and makes it vulnerable to sniffing attacks and interception.

This mitigation is not recommended for Exim owners living in the EU, since this may expose their companies to data leaks, and the subsequent GDPR fines.

However, there is also a catch. By default, Exim installations do not come with TLS support enabled by default. Nonetheless, the Exim instances included with Linux distros do ship with TLS enabled by default. Since most server administrators use OS images, and few go through the process of downloading Exim manually, most Exim instances are most likely vulnerable.

Furthermore, Exim instances that ship with cPanel, a popular web hosting software, also support TLS by default. The good news is that cPanel staff moved quickly to integrate the Exim patch into a cPanel update that they started rolling out to customers.

If you don’t know your Exim’s servers TLS status, the best bet at this point is to install the Exim patch, as this is the only way to fully prevent any active exploitation.

This is the second major Exim vulnerability patched this summer. In June, the Exim team patched CVE-2019-10149, a vulnerability known as “Return of the WIZard,” which also granted attackers the ability to run malicious code with root privileges on remote Exim servers.

The “Return of the WIZard” vulnerability came under active exploitation within a week after public disclosure, and someone crafted an Azure worm three days after that, forcing Microsoft to send out a security alert to all customers.

Security experts fully expect that this latest Exim security flaw will also come under active exploitation.