Root exploitation issue Exim-Mailserver

At what time will sophos release a fix for this issue ?

because using a exim mail proxy with a root Remote exploitation ins't a good idea at all.


see here:

  • Thanks for sharing. So far I don't see any update on the Sophos Kb. Looks like Exim needs to be updated at least to v.4.87.

    CVE-2019-10149 RCE vulnerability in Exim 4.87 to 4.91.

  • In reply to eyos:

    Guys, I don't know that this particular vulnerability has been addressed, but the developers are far more likely to make the adjustment in the code they have rather than risk substituting a newer version that they have not vetted.  If you have a paid license, you can ask Support if this vulnerability exists in the current code.  Please share the result here.

    Cheers - Bob

  • In reply to BAlfson:

    Guys, it seems that (at least with XG) enabling recipient verification seems to cure it (see Can ANYONE at Sophos please report back if this is also valid for UTM? Further more, why is there an kb for xg but not for utm? BTW UTM 9.603-1 is running EXIM 4.82. This COULD implicate, that UTM is not vulnerable at all ;-) But then again, someone at Sophos should clarify. 

  • I received the following today from Sophos support:

    "The latest SG firmware, 9.603 (as well as 9.602) is not running a version of exim with that vulnerability CVE-2019-10149"