500,000 email servers running vulnerable Exim software

Qualys researchers went public with a remote command execution vulnerability (CVE-2019-10149) in the Exim mail server versions 4.87 to 4.91 possibly affecting more than half of all email servers now in use.

The vulnerability allows a local, or in some cases, a remote attacker to execv as root, with no memory corruption or return-oriented programming involved. While the vulnerability can be exploited instantly a rather odd set of circumstances must be created and sustained. All the affected versions of Exim are vulnerable by default.

“To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes),” Qualys said, adding that due to the complexity of Exim's code there may be faster methods of exploitation that have not been discovered.

The flaw was patched with Exim version 4.92 on February 10, 2019, but Qualys was not exactly sure why this came about as the problem had not been previously identified as a security flaw. However, because the patch was not identified as a security issue this could mean systems have not been updated as a preventative measure.

“We received a report of a possible remote exploit.  Currently there is no evidence of an active use of this exploit. A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87,” Exim.org reported.

Exim noted the level of danger faced by a system depends upon its configuration with those still operating under default settings in the most danger.