Millions of Exim email servers vulnerable to cyber attacks

A critical vulnerability has been found in millions of Exim servers which once exploited can enable potential attacker to run arbitrary code with root privileges.

All versions of Exim servers up to and including 4.92.1 that accept TLS connections are vulnerable, according to Exim team.

“The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC,” wrote Exim in a recent advisory.

The Exim team on September 4 published a warning on OSS Security mailing list regarding the security bug that was affecting Exim. On Friday, the team released the version 4.92.2 to address the critical issue.

This vulnerability in the Exim server (CVE-2019-15846) was discovered in July by a security researcher called “Zerons”. It allows an unauthenticated attacker to take advantage of the TLS ServerName Indicator and use this to send malicious code on servers that accept TLS connections.

The Exim software is a mail transfer agent (MTA) that works as a general and flexible mailer with extensive facilities for checking incoming e-mail. This software is widely popular, available for Linux and Windows, and is used by millions of internet-facing hosts. It is estimated to have served 57% of publicly reachable email servers on the internet.

Exim has full control of emails in cPanel. Thus, this issue is serious as remote access by any unknown attacker would lead to get the complete control of a vulnerable Exim server.

The Exim advisory highly encourages to update to the latest Exim 4.92.2 version immediately. In case users are unable to install the new version, they can simply ask their package maintainer for the updated version containing the backported fix.