Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Time is (partially) on our side: the new Exim vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Time is (partially) on our side: the new Exim vulnerability

Yesterday details about a new locally and remotely exploitable vulnerability in Exim (CVE-2019-10149) was published by Qualys.

The vulnerability is critical: it allows a local user to easily run commands as root due to an issue in the deliver message code – a local user apparently can just send an e-mail to the address ${run{…}@localhost (where localhost is one of Exim’s local domains) and get the command executed as root.

According to Qualys, it is possible to exploit the vulnerability remotely as well – but there is a caveat (which I really like): “To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes).”

While the details about exploitation have been removed from the initial advisory, the full advisory should be published soon.
In other words – if you run Exim: PATCH. While it would appear that you have 7 days for remote attackers, the vulnerability actually existed since Exim version 4.87 which was released back in April, 2016. Additionally, a patch that fixes the vulnerability was released in February 2019, but it wasn’t marked as a security issue, so it wasn’t included in most OS updates.

If we see any exploitation attempts, we’ll update the diary – so far it looks quiet, so use that time to patch your systems!


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Amsterdam November 2021


400 Posts
ISC Handler
Jun 6th 2019

Sign Up for Free or Log In to start participating in the conversation!