The Return of the WIZard: Critical Remote Command Execution Vulnerability Impacts Old Exim Installations

Security researchers from Qualys discovered and reported a critical remote command execution (RCE) security flaw that directly affects Exim, a mail transfer agent (MTA) that relays emails from senders to recipients.

This vulnerability lets a local or remote attacker to run commands on Exim server as a root, if the version of Exim is older than 4.92. According to the Mail (MX) Server Survey, only 4.34% of Exim servers are up-to-date.  Running versions from 4.87 to 4.91 are still susceptible to exploitation.

Local users can exploit the vulnerability, even if they have low-privilege accounts.

If the attacker sends an email to “${run{…}}@localhost,” where “localhost” is an existing local domain on a vulnerable Exim installation, he gets to run commands with root privileges.

Remote attackers can also scan the Internet and take over vulnerable systems.

Instant exploitation is possible if Exim is in certain non-default configuration, specifically:

• The “verify = recipient” is removed by the administrator
• Exim is configured to relay mail to a remote domain
• Exim is configured to recognize tags in the local part of the recipient’s address

Default Exim setups are also exploitable if the attacker keeps a connection to a vulnerable server for seven days to transmit one byte every few minutes.

“However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.” – add Qualys researchers.

Interestingly enough, Exim team wasn’t aware that their February update fixed the flaw, as the vulnerability wasn’t identified at the time.

Now identified as CVE-2019-10149, the vulnerability is fairly similar to twenty-year-old WIZ and DEBUG vulnerabilities that exploited the Sendmail email server.

Qualys encourage Exim users to update immediately.

While updating is a great matter, users should also consider transitioning from software that transfers messages from one computer to another using Simple Mail Transfer Protocol (SMTP).

SMTP doesn’t have any real security mechanism, as the original relaying model of SMTP was built with the idea of “cooperation” and “trust” between servers.

If you would like to have complete control over your email communication, then go to StealthMail.com and find out more about the patented SDNP-based solution that never exposes your data to the public Internet.