We'd love to hear about it! Click here to go to the product suggestion community
At what time will sophos release a fix for this issue ?
because using a exim mail proxy with a root Remote exploitation ins't a good idea at all.
Thanks for sharing. So far I don't see any update on the Sophos Kb. Looks like Exim needs to be updated at least to v.4.87.
CVE-2019-10149 RCE vulnerability in Exim 4.87 to 4.91.
In reply to eyos:
Guys, I don't know that this particular vulnerability has been addressed, but the developers are far more likely to make the adjustment in the code they have rather than risk substituting a newer version that they have not vetted. If you have a paid license, you can ask Support if this vulnerability exists in the current code. Please share the result here.
Cheers - Bob
In reply to BAlfson:
Guys, it seems that (at least with XG) enabling recipient verification seems to cure it (see https://community.sophos.com/kb/en-us/134199). Can ANYONE at Sophos please report back if this is also valid for UTM? Further more, why is there an kb for xg but not for utm? BTW UTM 9.603-1 is running EXIM 4.82. This COULD implicate, that UTM is not vulnerable at all ;-) But then again, someone at Sophos should clarify.
I received the following today from Sophos support:
"The latest SG firmware, 9.603 (as well as 9.602) is not running a version of exim with that vulnerability CVE-2019-10149"