A vulnerability has been discovered in the Exim mail transfer agent that allows remote execution of commands on the server.
Qualys researchers have discovered critical vulnerability that affects more than half of mail servers. The problem was detected in the Exim Mail Transfer Agent (MTA) software, which is installed on mail servers for delivering emails from the sender to the addressee.
According to data for June 2019, Exim is set at 57% (507,389) of all servers visible through the Internet. True, there is information that in fact the number of Exim installations exceeds this number tenfold and is 5.4 million.
Detected by Qualys experts are vulnerable to software versions from 4.87 to 4.91. The vulnerability allows a remote / local attacker to launch commands on the mail server with superuser privileges. A local attacker, even with the lowest privileges, can exploit it immediately. However, the most dangerous are remote attackers who scan the Internet for vulnerable servers and are able to take control of vulnerable systems.
For remote exploitation of the default configuration, an attacker must maintain a connection to the vulnerable server for seven days (by sending one byte every few minutes). The researchers also admit the possibility of the existence of faster ways to exploit the vulnerability, but due to the excessive complexity of the Exim code, they have so far managed to detect only this one. In addition, vulnerability can be exploited remotely not only with the default configuration settings.
The problem was fixed in the version of Exim 4.92, released in February of this year. It is noteworthy that at the time of the release of the new version of the software, the vulnerability was not yet known, and it was fixed accidentally. The problem was discovered by researchers only during the audit of old versions of Exim. Vulnerability assigned an identifier CVE-2019-10149, in Qualys, it passes under the name "Return of the WIZard".