Recently, Linux mail transfer agent Exim exposed to a remote code execution vulnerability (CVE-2019-15846), which is due to accept TLS connection leads, which could allow an attacker to "send a backslash During the initial TLS handshake -null the end of the sequence SNI ", so as to obtain access to the system root level.
Exim is a message transfer agent (MTA) for use on a Unix-like operating system. Exim is released under the GNU General Public License (GNU General Public License) terms of free software, which aims to become a versatile and flexible e-mail program, with a wide range of checking incoming e-mail function.
Exim has been ported to most Unix systems, and the use Cygwin emulation layer of Microsoft Windows. Currently Exim 4 is the default MTA on Debian GNU / Linux system.
Exim installed in a large number of Internet service providers and universities in the United Kingdom. Exim also widely used GNU Mailman mailing list manager and cPanel.
Affected versions
- Exim <4.92.2 version
Unaffected version
- Exim 4.92.2
solve
At present, although not publicly disclosed, but Qualys described several key steps to prepare EXP, and finally the use of loopholes in the write / etc / passwd file to a remote root exploit. An attacker could write EXP according to this. We recommend that users immediately upgrade to version 4.92.2 .
If you can not upgrade immediately, the following rules recommended by exim configuration of acl_smtp_mail:
For the attack SNI, the following code fragment ACL should be effective:
# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
Details of Exim : click here
to download the Exim address : click here