Exim command execution vulnerability can be exploited remotely, warn researchers

A remote command execution (RCE) bug in mail relay software used by more than half of the world’s email servers could allow attackers to run commands as root.

The vulnerability was discovered in Exim, a mail transfer agent estimated to be used by more than 57% of all email servers (non-HTTPS link).

In a recent security audit, researchers from Qualys discovered a critical RCE flaw in Exim versions 4.87 through 4.91.

The bug could allow attackers to run commands on the Exim server as root – effectively taking control of them.

It can easily be exploited by a local attacker, but in some scenarios the flaw could also be exploited remotely.

Qualys confirmed that a remote attack in the default configuration is possible if the connection between the malicious actor and the vulnerable server is left open for at least seven days.

Remote exploitation is also possible in non-default configurations of Exim, for example if the verify = recipient access-control list was removed manually by an administrator, then the local exploitation also works remotely.

A security advisory gives more detail on how the vulnerability can be exploited.

Qualys explained that Exim servers have been exposed to RCE since version 4.87, released in April 2016.

It was fixed in version 4.92 but was not identified as a security flaw, suggesting that Exim was possibly unaware of it at the time.

Although the margins for remote exploitation are slim, users are still urged to update to at least version 4.92 to protect their servers.