Exim -- RCE in ${sort} expansion

ID 3E0DA406-AECE-11E9-8D41-97657151F8C2
Type freebsd
Reporter FreeBSD
Modified 2019-07-26T00:00:00


Exim team report:

    A local or remote attacker can execute programs with root privileges - if you've an unusual configuration.

    If your configuration uses the ${sort } expansion for items that can be controlled by an attacker (e.g. $local_part, $domain). The default config, as shipped by the Exim developers, does not contain ${sort }.

    The vulnerability is exploitable either remotely or locally and could

be used to execute other programs with root privilege. The ${sort } expansion re-evaluates its items.

    Exim 4.92.1 is not vulnerable.