A serious remote code execution vulnerability has been identified in Exim, a widely-used open-source email server software. This flaw potentially exposes over half a million email servers to attacks from remote threat actors. The Exim team responded by issuing a patch, updating the software to version 4.92.2, following an early alert two days prior. System administrators are urged to update their installations to mitigate this risk.
Exim serves as a mail transfer agent for Unix-like operating systems, including Linux, MacOS, and Solaris, handling email routing and delivery for nearly 60% of internet email servers. The vulnerability, tracked as CVE-2019-15846, specifically affects Exim servers configured to accept TLS connections. Attackers could potentially exploit this weakness by manipulating the Server Name Indication (SNI) during the TLS handshake to gain root-level access to the system.
SNI is a TLS protocol extension that allows multiple websites to be hosted on a single IP address, each with its own TLS certificate. Both GnuTLS and OpenSSL, the libraries that underlie many Exim installations, are at risk. Although the default configuration of Exim does not have TLS enabled, several operating systems include Exim with this feature activated by default, further exacerbating the risk.
This vulnerability was discovered by an open-source contributor known as Zerons and further analyzed by cybersecurity experts at Qualys. Just a few months prior, Exim had addressed another critical vulnerability (CVE-2019-10149) that was actively being exploited, demonstrating a pattern of ongoing security issues within the software.
While a basic proof of concept for exploiting this vulnerability has been developed, there are currently no public exploits available. Nevertheless, server administrators are highly encouraged to immediately upgrade to version 4.92.2. For those unable to perform this upgrade, a temporary solution includes restricting unpatched Exim servers from accepting TLS connections.
The Exim team has offered to assist those unable to upgrade by encouraging communication with package maintainers about backporting fixes. This incident highlights the importance of staying current with software updates and understanding potential vulnerabilities in widely-used software platforms.
In terms of the MITRE ATT&CK framework, this vulnerability may involve tactics such as initial access through exploitation of software weaknesses, as well as privilege escalation, given that an attacker could obtain root-level access through the exploit. As cyber threats continue to evolve, it is crucial for organizations to remain vigilant and proactive in securing their systems against potential vulnerabilities.