New Exim vulnerability opens up millions of email servers to root-granting exploitation

• Millions of Exim servers have been discovered to be vulnerable to a new remote code execution vulnerability.
• Servers running on the 4.92.1 version of Exim and before may be affected by this vulnerability.

The big picture

Exim, an open-source mail transfer agent (MTA), is used for Unix-like operating systems.

• It is a popular MTA with a lot of organizations’ servers running on Exim to receive and deliver emails.
• A security vulnerability, tracked as CVE-2019-15846 has been discovered that allows hackers to gain root-level access to the systems. This has left millions of email servers running on Exim vulnerable to attacks.

Details of the vulnerability

When the Exim server is configured to accept TLS connections, hackers can send a backslash-null sequence attached to the end of an SNI package during the initial TLS handshake. This can enable hackers to run malicious codes and obtain root-level access to the system.

The vulnerability can only be exploited in Exim servers up to versions 4.92.1 that accept TLS connections. Exim servers don’t have TLS enabled by default, but some operating systems ship Exim servers with TLS enabled as the default setting.

Although no active attacks have been reported yet, a surge for Exim server scans has been observed.

What did the Exim team do?

The team behind Exim learned about the vulnerability in July from a security researcher who goes by the pseudonym Zerons.

• The issue was patched in secrecy, owing to the ease of exploitation and its effect on a massive number of servers.
• An early warning was issued last week, and version 4.92.2, with the security patch, was released recently.

The takeaway

As always, it is recommended that you are updated on the latest security flaws and fixes available. If your organization uses Exim:

• Ensure that your email servers are running on the latest Exim version (4.92.2).
• If updating to the latest version is not possible, configure the Exim server to not accept any TLS connections.