www.belgium.be Logo of the federal government

Remote root code execution vulnerability in Exim MTA

Reference: 
Advisory #2019-023
Version: 
1.0
Affected software: 
Exim (all versions up to and including 4.92.2)
Type: 
remote root code execution
CVE/CVSS: 

CVE-2019-16928

Date: 
02/10/2019

Sources

https://www.bleepingcomputer.com/news/security/new-exim-vulnerability-exposes-servers-to-dos-attacks-rce-risks/

https://www.exim.org/static/doc/security/CVE-2019-16928.txt

Risks

Exploitation of this vulnerability leads to the compromise of system/data integrity, confidentiality, and/or availability. CERT.be has sightings of widespread exploitation of the Exim vulnerability reported in early September. CERT.be assesses with medium confidence this vulnerability could be exploited in future campaigns.

Description

The popular open-source MTA (mail transfer agent) Exim has a critical vulnerability which allows an attacker to exploit a heap-based buffer overflow (in string_vformat), potentially leading to arbitrary code execution. Normally Exim will have dropped its root privileges by the point this vulnerability is exploitable, but when combined with local privilege escalation exploits (or other as-yet known code paths within Exim to trigger the buffer overflow), arbitrary code execution with root privileges would be feasible.

Recommended Actions

CERT.be advises system administrators  to update Exim immediately according to the supplier's instructions.