Analysis of recent Exim mail server vulnerabilities

For the past months, multiple critical vulnerabilities were found in Exim mail servers that could allow attackers to gain remote access and perform malicious activities: CVE-2019-16928, CVE-2019-15846, and CVE-2019-10149.

In this article, we’ll analyze these vulnerabilities and try to understand their root causes. Also, we’ll find out which computers were affected and why Exim mail servers need to be patched immediately.

Use the links below to quickly navigate and discover more about these vulnerabilities:

• What is Exim?

• Analysis of Exim vulnerabilities

• Affected systems

• Mitigation

1. What is Exim?

Exim is one of the most popular open-source mail transfer agent (MTA) software used on Unix systems, which is deployed on 57% of all Internet email servers, according to the recent Mail (MX) Server Survey. This makes Exim a very attractive target for hackers.

Being free and highly configurable software, Exim-running servers are widely used on operating systems such as Linux, Mac OSX, or Solaris. The number of active servers is estimated to be over 5 million, a report from the Shodan search engine concluded.

2. Analysis of Exim vulnerabilities

CVE-2019-16928

For the second time in September, the maintainers of the Exim project had to release an urgent patch for a critical security flaw found in the mailing server.

Tracked as CVE-2019-16928, the flaw was first reported by QAX-A-TEAM and described as a heap-based overflow vulnerability. This could potentially let attackers launch denial of service (DoS) attacks or remote code execution attacks against the affected mail servers.

The vulnerability exists due to a heap-based buffer overflow (memory corruption) in string_vformat, which is part of a string.c, used in the EHLO (or HELO) Command Handler component.

Basically, this could let unauthorized remote hackers execute arbitrary system commands by sending a particular crafted EHLO string to the target mail server or crash the Exim process that is receiving the message. The Exim advisory said:

While at this mode of operation, Exim already dropped its privileges, other paths to reach the vulnerable code may exist. Remote code execution seems to be possible.

If a hacker succeeds to gain access to the target server, he can install specific programs, view, change or delete sensitive data, and even create new accounts with full user privileges.

The Exim maintainers already released a security patch for this vulnerability, which was included in the Exim 4.92.3 version. As part of the fix, a Proof-of-Concept is also available to exploit the flaw.

CVE-2019-15846

Another critical vulnerability was found in the Exim mail server last month. Known as CVE-2019-15846, it could let malicious hackers gain local access (as an unprivileged user) to a system, or remotely execute programs with root privileges.

The bug was initially reported by a researcher called “Zerons” on July 21, 2019, and then analyzed by Qualys researchers who warned about this vulnerability.

The conditions for an Exim server to be vulnerable is to accept TLS connections and this “does not depend on the TLS library, so both GnuTLS and OpenSSL (protocols) are affected”, said the Exim team.

In order to exploit the vulnerability, Exim maintainers explained that an attacker needs to be “sending an SNI (Server Name Indication) ending in a backslash-null sequence during the initial TLS handshake”. This could cause a buffer overflow in the SMTP (Simple Mail Transfer Protocol) handling process.

Following this disclosure, on September 4, 2019, the Exim team warned system administrators and users about its upcoming security patches affecting versions up to and including Exim 4.92.1 version.

Two days later, on Sept.6, 2019, a security update for Exim 4.92.2 version has been released, fixing the RCE vulnerability and all users are urged to upgrade as soon as possible.

The Exim team confirmed the existence of a rudimentary proof-of-concept (POC) but currently, there is no public exploit available.

CVE-2019-10149

A similar severe vulnerability affecting Exim servers was reported a few months ago. Tracked as CVE-2019-10149, and named “The Return of the Wizard”, the vulnerability was discovered in June, by Qualys researchers during a code review of Exim.

Days after being revealed, security researchers detected exploitation attempts by hackers who wanted to ”gain full root access via SSH to target Linux servers”.

Regarding this vulnerability, the Exim team stated that “the severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better”.

With the default configuration, the local attacker can exploit the flaw to execute commands as the root user by sending a specially crafted email “that will be interpreted by the expand_string function within the deliver_message() function.” Remote command execution under this default configuration is possible. Read more technical details here.

3. Affected systems

All versions from (including) 4.92 up to and including 4.92.2 are vulnerable to the latest CVE-2019-16928 flaw.

The other critical flaw, CVE-2019-15846, affects older versions of the Exim servers: 4.80 version up to and including 4.92.1.

It is important to note than versions of Exim prior to 4.80 are not impacted by CVE-2019-15846, but they could be vulnerable to other critical RCE flaws, such as CVE-2018-6789 remote code execution flaw from last year.

The CVE-2019-10149 existed in older Exim versions between and including 4.87 to 4.91.

4. Mitigation

All system administrators and home users that use Exim servers are urged to upgrade as soon as possible to the latest (and fixed) version 4.92.3.

However, for those who can’t download and install the latest versions, Exim maintainers suggest to “ask for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix.”

For CVE-2019-15846 it is not recommended to disable TLS, even if it does mitigate the vulnerability. It should be mitigated by configuring some rules to the mail access control list (ACL), which can prevent the attack.

Exim recommends prepending to your mail ACL (the ACL referenced by the aclsmtpmail main config) this 2 line snippet:

deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}

deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}

If your servers are among those exposed to the CVE-2019-15846 vulnerability, we recommend upgrading to the latest version.

5. Final thoughts

Patching remains an essential security measure to apply for preventing critical security flaws, like the ones described above. Hackers don’t stop exploiting vulnerabilities, which could allow them to get full control of your systems and sensitive data.