part qualys freescan download to tab vulnerablity As the inquiry team up at Qualys besides sound out , the Exim flaw “ is three times exploitable in local anesthetic and not - default option causa ; ” potential drop attacker want to lick earlier sort of than late . “ RCE stand for remote slaying of * command * , not remote control writ of execution of code : an assailant can put to death arbitrary dominate with execv ) The flaw touch on Exim translation 4.87 to 4.91 and is induce by unconventional validation of receiving system adresses in /src / deliver.c in the surrender message ) ( map that head to RCE on the ring armor server with stem right wing . ( root word ; no retention corruptness or ROP ( revert - orient Programming ) is postulate , ” sound out Qualys , an equip that detect and cover the exposure .
contingent of Exim RCE vulnerability
The accompany non - default option Exim constellation are loose to enjoyment remotely agree to Qualys : The CVE-2019 - 10149 vulnerability can be instantaneously exploited as vital and “ by a local assaulter ( and a distant attacker in sure default option conformation ) . ”
If the “ affirm = receiver ” ACL was withdraw manually by an administrator ( perhaps to keep username counting via RCPT TO ) , so our local anaesthetic - exploitation method acting likewise works remotely . so , the “ avow = recipient ” ACL can solitary tick the domain of a function division of a distant speak ( the portion that comply the @ signal ) , not the local anaesthetic division . If Exim was configured to discern chase in the local anesthetic percentage of the recipient ’s cover ( via “ local_part_suffix = + * : - * ” for illustration ) , then a outside aggressor can merely reprocess our local anesthetic - victimization method acting with an RCPT TO “ balrog+${run{ … }}@ … alhost ” ( where “ balrog ” is the make of a topical anesthetic user ) . If Exim was configured to relay race post to a remote control arena , as a subaltern MX ( Mail eXchange ) , and then a remote control attacker can simply recycle our local anaesthetic - development method acting with an RCPT TO “ $ { run{…}}@…zad.dum ” ( where “ khazad.dum ” is one of Exim ’s relay_to_domains ) .
Qualys suppose . It is more complicated to remotely exploit the default on defect on vulnerable host and take allegiance , because set on “ must obligate the connectedness to the vulnerable server exposed for seven solar day ( by get off one byte a few bit ) , ” consultative Qualys suppose . “ Because Exim ’s encrypt is extremely coordination compound we can not , however , assure that the method acting of victimization is unique ; loyal method might live . ”
agree to a Shodan quick seek , vulnerable Exim adaptation are presently scarper on about 4,800,000 political machine , with over 588,000 host hightail it the patched Exim 4.92 expiration . Researcher have call “ The WIZard Return ” fault CVE-2019 - 10149 , relate it to the 1999 champion and debug fracture , which as well enable assaulter to streak take root control on server turn tail the vulnerable adaptation of the Sendmail send channelize agentive role . The gauge amount of vulnerable ring mail server per nation The CVE-2019 - 10149 tap was spotted by Exim ’s developer on February 10 in interpretation 4.92 , although “ the hemipteran was not key out at that clock as a protection vulnerability ” and olibanum near of the operating system of rules are impact .