Exim marks the spot… of remote code execution: Patch due out today for ‘give me root’ flaw in mail server

The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine.

The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer vulnerable installations, steal or tamper with data, install spyware, and so on.

The vulnerability, designated CVE-2019-15846, has been kept under tight wraps. Details of the bug, along with updates to install to address the security weakness, are due to go live today at 1000 UTC. To be safe from the remote-code execution flaw, ensure you are running version 4.92.2 or later, either built from source or obtained from your operating system’s package manager.

For those unfamiliar with the software, Exim is an open-source message transfer agent (MTA) used in a great many Unix and Linux systems to send and receive emails.

server

Buffer overflow in Unix mailer Exim imperils 400,000 email servers

READ MORE

Heiko Schlitterman, one of the developers responsible for looking after Exim, said the critical vulnerability was reported to himself and other Exim maintainers on September 3. The next day, a notice was sent out through mailing lists that an update would be released, as part of a coordinated disclosure, on September 6, giving maintainers and Linux distributions enough time to develop, test, and queue up the patch.

Schlitterman said that while there is no sign of any exploit code yet, some bare-bones proof-of-concept code targeting the hole does exist, so admins and users are well-advised to test and install today’s update on all relevant machines that they manage.

“Head up! Security release ahead!” Schlitterman wrote in one security mailing list post. “A local or remote attacker can execute programs with root privileges. Currently there is no known exploit, but a rudimentary [proof of concept] exists.”

The patch is the first major update for Exim since July when the 4.92.1 build was released. That update also addressed a remote-code-execution flaw in the software, though its exploitability depended upon an installation’s configuration.

A month prior to that, the Exim team and infosec biz Qualys sounded the alarm over a flaw in the software reported in February that turned out to be more serious than first thought. ®

READ MORE HERE