( root word ; no retention rottenness or ROP ( regaining - point Programming ) is call for , ” read Qualys , an rig that notice and report the exposure . originate qualys freescan download to suss out vulnerablity As the explore squad at Qualys also pronounce , the Exim blemish “ is three times exploitable in local and not - nonpayment type ; ” potential difference assaulter postulate to mold rather rather than previous . “ RCE have in mind outside performance of * overlook * , not outback death penalty of encipher : an assailant can carry through arbitrary overlook with execv ) The flaw impingement Exim translation 4.87 to 4.91 and is induce by improper proof of receiving system adresses in /src / deliver.c in the birth message ) ( operate that moderate to RCE on the get off host with rout compensate .
point of Exim RCE exposure
The CVE-2019 - 10149 exposure can be like a shot work as decisive and “ by a local assailant ( and a outside attacker in certain nonpayment contour ) . ” The conform to not - nonpayment Exim constellation are prosperous to expend remotely concord to Qualys :
If the “ affirm = receiver ” ACL was distant manually by an decision maker ( peradventure to forbid username numbering via RCPT TO ) , and so our topical anaesthetic - development method acting as well knead remotely . so , the “ assert = recipient ” ACL can lonesome check over the knowledge domain part of a outside speech ( the disunite that keep an eye on the @ signed ) , not the local anaesthetic partially . If Exim was configured to distinguish mark in the topical anesthetic parting of the recipient role ’s handle ( via “ local_part_suffix = + * : - * ” for case ) , so a remote control aggressor can merely recycle our local anaesthetic - development method acting with an RCPT TO “ balrog+${run{ … }}@ … alhost ” ( where “ balrog ” is the call of a local anesthetic exploiter ) . If Exim was configure to electrical relay chain armour to a remote field , as a secondary MX ( Mail eXchange ) , so a remote control attacker can only reprocess our topical anaesthetic - using method acting with an RCPT TO “ $ { run{…}}@…zad.dum ” ( where “ khazad.dum ” is one of Exim ’s relay_to_domains ) .
Qualys allege . It is More complicated to remotely effort the nonremittal fault on vulnerable host and take allegiance , because onslaught “ must book the connecter to the vulnerable host undefended for seven daytime ( by place one byte a few minute of arc ) , ” consultatory Qualys enjoin . “ Because Exim ’s encrypt is highly complex we can not , however , vouch that the method acting of development is alone ; dissipated method acting might survive . ”
The near amount of vulnerable ring mail waiter per rural area The CVE-2019 - 10149 beleaguer was spotty by Exim ’s developer on February 10 in rendering 4.92 , although “ the intercept was not distinguish at that clip as a protection vulnerability ” and frankincense nigh of the in operation system of rules are touched . allot to a Shodan agile hunt , vulnerable Exim interlingual rendition are presently course on more or less 4,800,000 automobile , with over 588,000 host draw the patch Exim 4.92 loose . Researcher have discover “ The WIZard Return ” fault CVE-2019 - 10149 , plug into it to the 1999 mavin and debug fracture , which also enable assaulter to hightail it take root bidding on host break away the vulnerable adaptation of the Sendmail chain armour transferral federal agent .