Researchers at Qualys discovered a critical remote command execution vulnerability in Exim. Security experts are also warning of new attacks on Exim servers.
Exim is a popular mail transfer agent (MTA) used on mostly Unix-like operating systems.
Qualys said a local attacker can exploit the vulnerability CVE-2019-10149 and execute arbitrary commands with execv(), as root. In addition, attackers could exploit the flaw remotely in certain “non-default configurations.”
“An attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes),” Qualys also noted in the security advisory last Wednesday.
Researchers from Tenable also warned that nearly 4.1 million servers are vulnerable to local or remote exploits. In other words, a very large number – 90% of total Exim installations.
Exim versions 4.87 to 4.91 are impacted. So, administrators should update systems to Exim version 4.92 as soon as possible.
Red Hat also issued an advisory confirming the Exim bug does not impact Red Hat Enterprise Linux (RHEL) 5. The company said RHEL 5 ships with Exim 4.63.
Over a year ago, nearly 400,000 Exim servers were also at risk to a remote code execution vulnerability CVE-2018-6789.
Update (6/14/2019):
As of Thursday, Security researchers warn of new attacks on nearly 3.5 million Exim servers.
“The attack scours the Internet for a vulnerability discovered last week, CVE-2019-10149 using already infected servers to spread to as many as possible,” Cybereason said in recent blog post.
“If you are running an updated version of the Exim mail server or you think that your server is compromised, please look for the following entry in our SSH configurations in /root/.ssh and in every .ssh directory on your system,” Cybereason added.
Exim runs on nearly 57% of the world’s emails servers. So impact of recent attacks could be quite large.