Fixing Exim Mail Server RCE (CVE-2019-10149) Vulnerability using SanerNow - Exploited in the Wild

    Follow

    Overview:
    Exim mail server receives an important update which fixes a critical remote command execution flaw. The CVE-ID assigned to this vulnerability is CVE-2019-10149. The root cause of the vulnerability is improper validation of recipient address in the ‘deliver_message’ function in the Exim mail server. It is nicknamed as ‘Return of the WIZard’.

    This vulnerability can be exploited instantly by a local attacker as well as a remote attacker. It allows attackers to execute arbitrary commands on the Exim server with the permissions of the user running the application, download crypto miners and sniff out other vulnerable servers.

     A widespread campaign is exploiting Exim flaw and makes millions of Linux servers subject to worm attack. It achieves persistence on the infected system by installing several payloads at different stages including the port scanner and coin-miner etc.

     

    CVSS v3.0 Severity and Metrics:
    Base Score: 7.5 HIGH

    CVSS v2.0 Severity and Metrics:
    Base Score: 9.8 CRITICAL

     

    Affected software:
    Exim versions from 4.87 to 4.91 are affected

     

    Solution:

    To address this vulnerability, the vendor has released version 4.92 which fixes the flaw. For more information, please refer to our blog

    Use SanerNow platform to apply this critical patch quickly across the organization as shown below.

    NOTE: This vulnerability is being actively exploited by the attackers to break into the system and hence consider applying the patch immediately. 


    SanerNow: Vulnerability detection and patching of Exim Mail Server:

     

    1. Login to SanerNow platform

    2. Switch to the account/site specific view and Go to 'VM tool'

    3. Exim CVE-2019-10149 vulnerability will be listed in 'Top Vulnerabilities' or 'Recently Discovered Vulnerabilities' as shown in the below diagram

    1.png

     

    4. Search for this vulnerability in VM tool. If you are affected, apply the patch through PM -> Missing Patches

    2.png

     

    5. Select 'Groups/Devices' in the 'Asset Source' section and click 'Apply'.

    6. Select the 'Exim' product from the 'Asset' section as shown in the below diagram.

    3.png

     

    7. Select 'Apply Selected Patches' at the rightmost corner. This will prompt for 'Creating Patching Task'. Fill in 'Task Name' and 'Remediation Schedule' as per your preference and click on 'Apply Selected Patches' as shown below,

    4.png

     

    8. Remediation job will be created, which will fix the vulnerability by upgrading Exim to 4.92 version

    9. Once remediation is done, the Saner agent automatically scans again and uploads the result to SanerNow as shown below,

    5.png

     

    Was this article helpful?
    0 out of 0 found this helpful

    Comments