Millions of machines affected by a command execution flaw in the Exim mail server

Millions of Internet-connected machines running the open source Exim mail server may be vulnerable to a newly discovered vulnerability that, in some cases, allows unauthenticated attackers to execute commands with all-powerful root privileges .

The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low privilege account on a vulnerable system running with the default settings. The person just needs to send an email to "$ {run {…}} @ localhost", where "localhost" is an existing local domain on a vulnerable Exim installation. With this, attackers can execute commands of their choice executed with root privileges.

The command execution fault is also exploitable remotely, with however some restrictions. The most likely scenario for remote exploits occurs when the default settings have been set, such as:

• The "verify = recipient" is manually deleted by an administrator, possibly to prevent the enumeration of the user name with the help of RCPT TO functions. In such a case, the local operating method described above works.

• Exim is configured to recognize tags in the local part of a recipient's address (via "local_part_suffix = + *: – *" for example). Hackers can exploit this vulnerability by reusing the local operating method with an RCPT TO object "balrog + $ {run {…}} @ localhost" (where "balrog" is the name of a local user).

• Exim is configured to relay mail to a remote domain as a secondary MX. A remote attacker can reuse the local operating method with a RCPT TO "$ {run {…}} @ khazad.dum" where "khazad.dum" is one of the relay_to_domains Exim.

The vulnerability is also remotely exploitable against default Exim configurations, even if an attacker must first maintain a vulnerable server connection open for seven days by passing a byte every few minutes. Researchers at Qualys, the security firm that discovered the vulnerability, do not exclude other, simpler and more practical ways to remotely exploit default configurations.

"This vulnerability is trivially exploitable in local and non-default cases (attackers will have exploited before, whether public or not)," wrote Qualys researchers in a notice released Wednesday. "And in the case by default, a remote attack takes a long time to succeed (to our knowledge)."

The vulnerability, followed as CVE-2019-10149, affects versions 4.87 through 4.91. The vulnerability has been fixed in version 4.92, published in February. But this has never been identified as a vulnerability. In addition, many Linux distributions continued to come with vulnerable versions of Exim.

A search on BinaryEdge (a service that indexes devices connected to the Internet) has shown that more than 4.7 million machines are running a vulnerable version of Exim. It's a safe bet that a sizeable percentage of these machines is susceptible to attack. Version 4.92 updates are available here.