Critical TLS flaw opens Exim servers to remote compromise

Security

A ‘critical’ security vulnerability has been discovered in the Exim mail server that requires admins’ urgent attention.

Affecting all versions from 4.80 up to and including 4.92.1, Exim’s maintainers have offered a general description of the flaw (CVE-2019-15846) discovered in July 2019 by a researcher identified as ‘Zerons’.

Subsequently confirmed by engineers working for Qualys, the flaw is a buffer overflow in the part of the TLS negotiation connected to Server Name Indication (SNI). SNI is a way web hosts present the certificates for multiple HTTPS-secured TLS servers sitting behind the same IP address so that incoming connections are directed to the correct one.

It’s as serious a flaw as it’s possible to imagine in a mail server because an attacker could exploit it either locally or from the internet with no special privileges by:

Sending an SNI ending in a backslash-null sequence during the initial TLS handshake.

Alternatively, attackers could attempt the same thing – achieving root on the target – using a crafted client TLS certificate.

Currently, there are no reported exploits for the flaw, which is believed to exist right now only as a proof of concept.  Nevertheless:

If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS library, so both GnuTLS and OpenSSL are affected.

What to do

Exim is easily the most popular open-source mail server on the internet, accounting for almost 60% of those which are visible according to estimates.

An unwise few might not have TLS turned on but Exim admins are still advised to update to 4.92.2, which fixes the issue (disabling TLS resolves the problem but is not recommended).

Exim servers running versions prior to the vulnerability’s appearance in v4.80 (2012) are not at risk but will nevertheless be vulnerable to a number of others such as the CVE-2018-6789 remote code execution flaw from last year.

More recent Exim vulnerabilities include CVE-2019-10149 and a Linux worm later discovered by Microsoft to be targeting that flaw.

Products You May Like

Articles You May Like

Official Monero Site Hacked to Distribute Cryptocurrency Stealing Malware
7 Courses That Will Help You Start a Lucrative Career in Information Security
The House and Senate finally agree on something: Robocalls
Spotify confirms it’s testing real-time lyrics synced to music
Hacked Disney+ Accounts on Sale for $1

Leave a Reply

Your email address will not be published. Required fields are marked *