9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.197 Low
EPSS
Percentile
96.2%
Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the string_interpret_escape()
function. This function is used to handle peer distinguished names (DN) and Sever Name Indication (SNI) during a TLS negotiation. This vulnerability could allow a local or remote unauthenticated attacker to execute arbitrary code with root privileges.
Exim is a message transfer agent (MTA) that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape()
function, which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a ‘\
’ character, the vulnerable string_interpret_escape()
function will interpret the string-terminating null byte as a value to be escaped, thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way, this out-of-bounds pointer can be leveraged to cause a heap overflow.
Exim installations configured to allow TLS connections, which can happen either via the SMTP STARTTLS command or via TLS-on-connect, can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.
By causing a vulnerable Exim server to process an SMTP email message, a local or remote unauthenticated attacker may be able to execute arbitrary code with root privileges.
Apply an update
This vulnerability is addressed in Exim 4.92.2. For further information see the Exim advisory for CVE-2019-15846.
Use ACLs to block attack attempts
The Exim advisory provides ACLs to deny email messages with trailing backslashes in TLS SNI or peer DN fields:
# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
672565
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 06, 2019 Updated: September 06, 2019
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Statement Date: September 06, 2019
Affected
Ubuntu has released updates for Exim that address CVE-2019-15846 in
https://usn.ubuntu.com/4124-1/
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Statement Date: September 06, 2019
Not Affected
Arista products do not use the exim mail server
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Statement Date: September 06, 2019
Not Affected
CoreOS Container Linux is not vulnerable.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 09, 2019
Statement Date: September 09, 2019
Not Affected
Even though the version of Exim as shipped with Red Hat Enterprise Linux 5 (only affected RedHat product includes the affected function), it does not expose the buffer overflow problem and is not affected by the remote code execution flaw.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 10, 2019
Statement Date: September 10, 2019
Not Affected
Synology does not employ Exim for our products, including MailPlus [1] and Mail Station [2].
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 06, 2019 Updated: September 06, 2019
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 20 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.8 | E:POC/RL:OF/RC:C |
Environmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Zerons for the initial report to Exim and to Qualys for providing additional analysis.
This document was written by Will Dormann, Laurie Tyzenhaus and Madison Oliver.
CVE IDs: | CVE-2019-15846 |
---|---|
Date Public: | 2019-09-06 Date First Published: |
ftp.exim.org/pub/exim/exim4/
git.exim.org/exim.git/commit/2600301ba6dbac5c9d640c87007a07ee6dcea1f4
github.com/Exim/exim.git
github.com/Exim/exim/tree/exim-4.92.2%2Bfixes/doc/doc-txt/cve-2019-15846
usn.ubuntu.com/4124-1/
www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/
www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-are-currently-being-attacked/
www.exim.org/static/doc/security/CVE-2019-15846.txt
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.197 Low
EPSS
Percentile
96.2%