2019-061
06/10/2019
A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient. Remote attackers can take advantage of this vulnerability as well through similar means. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There is currently a working exploit of this vulnerability on Exploit DB. Open source resources reveal that currently there are more than 4.7 million devices running a vulnerable version of Exim. This vulnerability does not affect the latest version Exim 4.92.
A vulnerability has been discovered in Exim, which could allow for local attackers to execute arbitrary system commands when sending mail to a particular recipient.
This vulnerability exists due to the way that Exim handles the parsing of the mail recipient when mail is sent from a local user to a local domain. When a local malicious user sends an email to the following recipient: ${run{ }}@localhost, the supplied command and arguments are passed into the execv function behind-the-scenes. Remote attackers can conduct a similar exploitation technique under certain non-default configurations. For other configurations, an attacker will have to open a connection to the server for 7 days and transmit one byte every few minutes.
Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
