Critical Exim Flaw Opens Millions of Servers to Takeover

exim critical flaw

A critical vulnerability found in Exim servers could enable a remote, unauthenticated attacker to execute arbitrary code with root privileges.


Researchers are urging users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them.

Exim, which is free software used on Unix-like operating systems (including Linux or Mac OSX) serves as a mail transfer agent that manages mail routing services for organizations. According to Shodan, Exim is the most used mail transfer agent globally and has over 5 million internet-facing hosts, meaning the attack surface for the flaw is massive.

All versions of Exim servers up to and including 4.92.1 have a serious flaw (CVE-2019-15846) that could allow a local or remote attacker to execute arbitrary code with root privileges, which means that they could take full control of the impacted server. The vulnerability ranks 9.8 out of 10 on the CVSS scale, making it critical in severity.

“The Exim team has released version 4.92.2 to fix this vulnerability, and administrators are encouraged to upgrade as soon as possible,” Ryan Seguin with Tenable said in a Friday advisory. “While the official security advisory notes that disabling TLS does mitigate the vulnerability, it is strongly recommended not to do so.”

While no public exploit of the vulnerabilities have yet been reported, according to the Exim team, a rudimentary proof-of-concept (PoC) does exist (but has not been made public).

“We can’t confirm whether a PoC has been made public, but it’s likely threat actors are working on developing their own as we speak,” Seguin told Threatpost. “By exploiting these flaws, an attacker could capture all of the mail processed by the vulnerable Exim server. This is dangerous because of the sensitive information that is often sent through these services, including IPs and passwords. Anyone listening in long enough would likely gain keys to the kingdom, if they were patient.”

The vulnerability stems from an issue with how Exim servers handles certain data during a TLS handshake.

remote code execution exim

Total number of Exim servers according to Shodan

A TLS (Transport Layer Security) handshake starts off a communication session that utilizes TLS encryption. During the handshake, the two communicating sides exchange messages to verify one another. The specific data in question involves SNI (Server Name Indication), an extension through which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

If an attacker creates specially crafted SNI data, the SMTP (Simple Mail Transfer Protocol) – the communication protocol for the email transmission – is susceptible to a buffer overflow, which would allow remote code execution on the vulnerable system.

“As stated in the initial bug report by Zerons, an unauthenticated remote attacker could send a malicious SNI ending in a backslash-null sequence during the initial TLS handshake, which causes a buffer overflow in the SMTP delivery process,” according to Seguin. “This would allow an attacker to inject malicious code that Exim then arbitrarily executes as root.”

Seguin told Threatpost that it’s likely that anyone with enough skill could craft an exploit script from publicly available information: “We’ve seen similar Exim vulnerabilities that have had public exploitation roughly a week after the initial disclosure,” he said.

Seguin noted that the default Exim configuration file does not have TLS enabled – however, most enterprises are required to enable TLS for internet traffic handling purposes. And, since the vulnerability does not depend on the TLS library in use, both GnuTLS and OpenSSL (popular software implementations of the TLS protocols) are affected.

The vulnerability was first reported by Zerons on July 21 (with a subsequent analysis coming from researchers at Qualys); and the flaw along with a patch was disclosed on Friday.

The Exim vulnerability rouses fears after a similar vulnerability in June was exploited in a widespread campaign to gain remote command-execution on victims’ Linux systems. Researchers said that currently more than 3.5 million servers were at risk from the attacks, which used a wormable exploit.

Exim users are strongly urged to update to version 4.92.2; another option (though not recommended) is to disable TLS to mitigate against the vulnerability.

“If you can’t install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix. (Please note, the Exim project officially doesn’t support versions prior the current stable version),” according to Exim’s advisory.

This article was updated on Sept. 9 at 11am ET with further comments from Tenable about the vulnerability’s impact.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.