Exim TLS Flaw Enables Attackers Execute Commands Remotely


The Exim mail transfer agent software is vastly impacted by vulnerability present in the 4.80 up versions, including 4.92.1. The bug enables unauthenticated or local remote attackers in executing programs with the root privileges on the servers which accepts TLS connections.

The flaw which was tracked down as CVE-2019-15846 – reported initially by ‘Zerons’ on 21st July as well as analyzed by the research team Qualys is completely exploitable with the help of an SNI, followed by the backslash-null sequence at the initial TLS handshake. This leads to the RCE accompanied by root privileges on the email server.

The Delivery process of SMTP in the Exim versions has the Buffer Overflow. The Exim’s advisory says that in the runtime default configuration, this is entirely exploitable with the SNI or ServerName Indication data during TLS negotiation. In the case of other configurations, it is totally exploitable with the crafted TLS certificate client.

SNI is said to be a TLS protocol designed to ensure that servers present in different TLS certificates for securing and validating connections to websites behind similar IP addresses.

TLS Trouble

According to the development team of Exim, if the Exim server accepts the connection of TLS, then it is vulnerable. This is completely independent of the TLS library. Both OpenSSL and GnuTLS are affected.

The file containing the default configuration supplied by the team of Exim does not include the TLS which is enabled by default.

Linux distros distribute the Exim along with the enabled. This is further confirmed by the developer of Exim Heiko Schlittermann. He said that this is entirely depended on the configuration. Most of the distros just enable it by the default mode. Exim required a key+certificate in order to work as a server of TLS. A Cert is developed by Distros during the process of setup.