EXIM RCE CVE-2019-15846 URGENT

Hi JoergRiether 

Allow me some time to check, I will update here as soon as I have some information regarding this.

Youch!  My exim version is 4.82.  The minimum safe build is 4.92.1.

also check out https://www.openwall.com/lists/oss-security/2019/09/04/1

and the interview with Heiko (in german) -> https://marius.bloggt-in-braunschweig.de/2019/09/04/nicht-schon-wieder-ein-root-exploit-im-exim/

problem relies mainly with exim-tls, to be precise in a provided modified SNI string. 

Question would be if utm is vulnerable as the fraudulent sni could be modified/harmonized/normalized before it reaches naked exim. We have to wait for Sophos here to provide fresh intel.

JoergRiether said:

also check out https://www.openwall.com/lists/oss-security/2019/09/04/1

and the interview with Heiko (in german) -> https://marius.bloggt-in-braunschweig.de/2019/09/04/nicht-schon-wieder-ein-root-exploit-im-exim/

problem relies mainly with exim-tls, to be precise in a provided modified SNI. 

Question would be if utm is vulnerable as the fraudulent sni could be modified/harmonized/normalized before it reaches naked exim. We have to wait for Sophos here. 

 

 

I hope they are taking this seriously because I'm already reading about thousands of sites (mostly wordpress) being ransomware encrypted with LILU and the intrusion vector is this vulnerability with exim.

Hi JoergRiether 

This is currently being investigated by our Development team on a priority basis as NUTM-11229. I'll post an update as soon as there's more information available.

Just out of interest, does this team work 24*7 (in ITIL one could say follow the sun) or 8*5? Or anything in between? I think some people here could sleep a little better if the answer is not 8*5.

Best regards

Alex

Tenable has a plugin online https://www.tenable.com/cve/CVE-2019-15846 but i guess this plugin only checks for the banner version string, so imho still valid statement from Sophos urgently needed. Also nothing from rapid7 so far https://www.rapid7.com/db/?q=exim&type= 

Hi Jaydeep,

This is incredible dissatisfying.
Ubuntu and Debian already providing patches for Exim.
Most of us are paying a fortunate to Sophos so we are not facing such issues.
Go and have a look at the official exim site https://www.exim.org/static/doc/security/CVE-2019-15846.txt
You could have investigated this issue for more than a month!

Someone would believe Sophos reacts fast an realiable without us having to ask!

Gregor Streng

Any updates so far?

In June you wrote about this:

https://nakedsecurity.sophos.com/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/

making 4.92 the safest version, today it should be 4.92.2

I am running 9.605 UTM:

How can it be that Exim version is:

Exim version 4.82_1-5b7a7c0-XX #2 built 15-Aug-2018 11:10:24

:-O