Overview
Versions 4.87 to 4.91 of Exim, a mail transfer agent, is vulnerable to remote command execution. This vulnerability enables a local attacker to run a command with root privileges. Although possible, remote exploitation is unreliable in the default configuration. A successful remote exploit will require a continued network connection for 7 days. A non-default configuration is still vulnerable to remote attacks.
Details
Exim is extensively used as an MTA in Unix based systems. As a mail transfer agent, it accepts messages from different sources and delivers them to the right destination. Exim can receive messages from both remote hosts and local processes. The vulnerability occurs due to invalid authentication of the recipient in deliver_message() function in /src/deliver.c. A remote attacker sends mail to a specially crafted email recipient on the localhost. This is interpreted by the expand_string function. The improper validation allows the attacker to run commands as a root user. Due to its resemblance with DEBUG and WIZ vulnerabilities, this vulnerability is often referred to as “The return of the WIZard”. DEBUG and WIZ affected the Sendmail email server in the ’90s. CVE-2019-10149 vulnerability is difficult to exploit by a remote attacker. In part, the difficulty arises because of the need for continued network connection for 7 days. A non-default configuration, such as the following, is still vulnerable: ‘verify = recipient’ ACL is removed Uncommenting ‘local_part_suffix = +* : -*’ Mail is relayed to a remote domain
Affected Environments
Since Exim was created by the University of Cambridge, it is widely adopted by educational institutions. Exim is also used in GNU Mailman and cPanel making this vulnerability widespread. Installation of versions 4.87 to 4.91 of Exim are affected.
Remediation
Use Exim version 4.92 or later
Prevention
Remote attacks can be prevented by using default configurations
Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
What is a WS vulnerability ID? 
