Critical Exim TLS Flaw Lets Attackers Remotely Execute Commands as Root

Critical Exim TLS Flaw Lets Attackers Remotely Execute Commands as Root


The Exim mail transfer agent (MTA) software is impacted by a critical severity vulnerability present in versions 4.80 up to and including 4.92.1. 


The bug allows local or unauthenticated remote attackers to execute programs with root privileges on servers that accept TLS connections.


The flaw tracked as CVE-2019-15846 — initially reported by 'Zerons' on July 21 and analyzed by Qualys' research team — is "exploitable by sending an SNI ending in a backslash-null sequence during the initial TLS handshake" which leads to RCE with root privileges on the mail server.


The SMTP Delivery process in the affected Exim versions has a Buffer Overflow. "In the default runtime configuration, this is exploitable with crafted ServerName Indication (SNI) data during a TLS negotiation," says Exim's advisory. "In other configurations, it is exploitable with a crafted client TLS certificate."


SNI is a TLS protocol component designed to enable servers to present different TLS certificates for validating and securing the connection to websites behind the same IP address.


TLS handshake trouble


"If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS library, so both, GnuTLS and OpenSSL are affected," says Exim's development team.


While the default configuration file supplied by Exim's team does not have TLS enabled by default, BleepingComputer has learned that some Linux distros distribute Exim with it enabled.


Exim developer Heiko Schlittermann confirmed this, saying that it "depends on the configuration. Most distros enable it by default, but Exim needs a certificate+key to work as a TLS server. Probably Distros create a Cert d ..

Support the originator by clicking the read the rest link below.