The Exim mail transfer agent (MTA) contains a vulnerability that can allow attackers to execute arbitrary commands reliably on a targeted system. This vulnerability was discovered by our own Qualys Security Research Team and has been named as “The Return of the WIZard” as a reference to a couple of similar command execution vulnerabilities in another email server – Sendmail. It can be identified as CVE-2019-10149.
Exim versions 4.87 to 4.91 are vulnerable.
This vulnerability exists because Exim tries to process email addresses at more than one locations in the code, implemented via the deliver_message() function. This function, which is a part of the functionality which actually delivers messages critically aids local exploitation by executing commands received via directives such as “RCPT TO:” as root. As mentioned in the vulnerability disclosure document, this happens in default configurations as the deliver_drop_privilege, a privilege control is set to “false”. If this control is set to “true”, Exim would be forced to drop it’s root privileges for every delivery process, which should remediate this vulnerability.
Remote exploitation of this vulnerability, though possible, is a bit tricky as the “verify = recipient” access-control-list is enabled by default. This ACL enforces that the local part of the recipient’s address to be the name of a local user.
For non-default configurations the exploitation requires elaborate measures such as sending an e-mail and sending keep-alive packets to a vulnerable server for extended periods of time.
Exim version 4.92 remediates this vulnerability. Qualys Vulnerability Management customers can launch remote and authenticated scans to identify vulnerable systems in their network by scanning for the following vulnerabilities:
- QID 50092 : Exim Remote Command Execution Vulnerability
- QID 197488 : Ubuntu Security Notification for Exim4 Vulnerability (USN-4010-1)
Additional QIDs for individual supported operating systems will be made available soon.