Millions of Exim Mail Servers Exposed to Local, Remote Attacks
A critical severity vulnerability present in multiple versions of the Exim mail transfer agent (MTA) software makes it possible for unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.
The flaw impacts Exim versions 4.87 to 4.91 and it is caused by the improper validation of recipient addresses in the deliver_message() function in /src/deliver.c which leads to RCE with root privileges on the mail server.
"In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved," says Qualys, the security outfit which discovered and reported the vulnerability.
As Qualys' research team also said, the Exim flaw is "trivially exploitable in the local and non-default cases," with potential attackers to have working exploits sooner rather than later.
Exim RCE vulnerability details
The vulnerability tracked as CVE-2019-10149 and rated as critical can be exploited instantly "by a local attacker (and by a remote attacker in certain non-default configurations)."
The following non-default Exim configurations are easy to exploit remotely according to Qualys:
• If the "verify = recipient" ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely.
• If Exim was configured to recognize tags in the local part of the recipient's address (via "local_part_suffix = +* : -*" for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "balrog+${run{...}}@...alhost" (where "balrog" is the name of a local user).
• If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "${run{...}}@...zad.dum" (where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the "verify = recipient" ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part.
Exploiting the flaw remotely on vulnerable servers with a default configuration is more complicated and it requires some dedication since attacks "must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes)," says Qualys' advisory.
"However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist."
The CVE-2019-10149 bug was patched by Exim's developers in version 4.92 on February 10, although it "was not identified as a security vulnerability" at the time "and most operating systems are therefore affected."
According to a quick Shodan search, vulnerable versions of Exim are currently running on roughly over 4,800,000 machines, with more than 588,000 servers already running the patched Exim 4.92 release.
The researchers named the CVE-2019-10149 flaw "The Return of the WIZard," thus connecting it to the WIZ and DEBUG vulnerabilities from 1999 which also allow attackers to execute commands as root on servers running a vulnerable Sendmail mail transfer agent version.
Gloss