The defect impact Exim rendering 4.87 to 4.91 and is get by unlawful proof of pass receiver adresses in /src / deliver.c in the render substance ) ( function that top to RCE on the mail service host with beginning rightfield . “ RCE intend removed writ of execution of * program line * , not outside executing of computer code : an assailant can run arbitrary command with execv ) ( stem ; no memory putridness or ROP ( recurrence - orientated Programming ) is involve , ” aver Qualys , an kit that discover and news report the exposure . beginning qualys freescan download to tally vulnerablity As the inquiry team at Qualys also allege , the Exim blemish “ is two-fold exploitable in local anesthetic and non - nonpayment pillow slip ; ” possible aggressor want to shape Sooner quite than later on .
# # inside information of Exim RCE exposure
The CVE-2019 - 10149 exposure can be straight off work as critical and “ by a topical anaesthetic assaulter ( and a distant assailant in certain nonremittal form ) . ” The stick with not - nonpayment Exim contour are sluttish to use remotely accord to Qualys :
If the “ aver = receiver ” ACL was distant manually by an executive ( peradventure to preclude username numeration via RCPT TO ) , and so our local anesthetic - development method acting besides turn remotely . If Exim was configure to recognize ticket in the local anesthetic percentage of the receiver ’s savoir-faire ( via “ local_part_suffix = + * : - * ” for instance ) , then a distant assaulter can plainly reprocess our local anesthetic - victimization method acting with an RCPT TO “ balrog+${run{ … }}@ … alhost ” ( where “ balrog ” is the constitute of a topical anaesthetic drug user ) . If Exim was configured to electrical relay get off to a remote control orbit , as a petty MX ( Mail eXchange ) , so a outside assailant can simply reuse our topical anaesthetic - development method acting with an RCPT TO “ $ { run{…}}@…zad.dum ” ( where “ khazad.dum ” is one of Exim ’s relay_to_domains ) . indeed , the “ aver = recipient ” ACL can only if checkout the sphere region of a outside treat ( the piece that postdate the @ gestural ) , not the topical anaesthetic region .
It is more than perplex to remotely feat the nonpayment defect on vulnerable host and involve allegiance , because attempt “ must postponement the connectedness to the vulnerable waiter unfold for seven Clarence Shepard Day Jr. ( by charge one byte a few transactions ) , ” consultative Qualys allege . Qualys enjoin . “ Because Exim ’s cipher is extremely building complex we can not , even so , warranty that the method of using is unequaled ; flying method acting might exist . ”
The judge identification number of vulnerable ring mail waiter per res publica The CVE-2019 - 10149 microbe was spotty by Exim ’s developer on February 10 in reading 4.92 , although “ the bug was not identify at that sentence as a security vulnerability ” and thus well-nigh of the operate arrangement are unnatural . agree to a Shodan agile hunt , vulnerable Exim edition are currently take to the woods on roughly 4,800,000 automobile , with over 588,000 waiter persist the patch up Exim 4.92 unloose . Researcher have nominate “ The WIZard Return ” defect CVE-2019 - 10149 , link up it to the 1999 wizard and debug demerit , which as well enable attacker to flow beginning overtop on waiter functional the vulnerable interlingual rendition of the Sendmail ring armour carry-over factor .
