Root exploitation issue Exim-Mailserver

At what time will sophos release a fix for this issue ?

because using a exim mail proxy with a root Remote exploitation ins't a good idea at all.

 

see here:

www.openwall.com/.../4

  • Thanks for sharing. So far I don't see any update on the Sophos Kb. Looks like Exim needs to be updated at least to v.4.87.

    CVE-2019-10149 RCE vulnerability in Exim 4.87 to 4.91.

  • In reply to eyos:

    Guys, I don't know that this particular vulnerability has been addressed, but the developers are far more likely to make the adjustment in the code they have rather than risk substituting a newer version that they have not vetted.  If you have a paid license, you can ask Support if this vulnerability exists in the current code.  Please share the result here.

    Cheers - Bob

  • In reply to BAlfson:

    Guys, it seems that (at least with XG) enabling recipient verification seems to cure it (see https://community.sophos.com/kb/en-us/134199). Can ANYONE at Sophos please report back if this is also valid for UTM? Further more, why is there an kb for xg but not for utm? BTW UTM 9.603-1 is running EXIM 4.82. This COULD implicate, that UTM is not vulnerable at all ;-) But then again, someone at Sophos should clarify. 

  • I received the following today from Sophos support:

    "The latest SG firmware, 9.603 (as well as 9.602) is not running a version of exim with that vulnerability CVE-2019-10149"